Your Data is Protected

The Health Insurance Portability and Accountability Act (HIPAA) establishes national standards for the protection of individuals' medical records and other personal health information. The HIPAA Privacy Rule and Security Rule set the standards for how covered entities and their business associates must protect PHI.

RX Approvals operates as a Business Associate under HIPAA, providing technology services to covered entities (veterinary clinics and pharmacies) that involve the creation, receipt, maintenance, and transmission of PHI. We are fully committed to operating in compliance with all applicable HIPAA requirements.

Protected Health Information (PHI) is any information that relates to an individual's health condition, provision of healthcare, or payment for healthcare that can be used to identify the individual. In the context of RX Approvals, PHI includes but is not limited to:

• Patient names and contact information
• Pet/patient health conditions
• Prescription details and medication names
• Veterinarian and clinic information
• Prescription approval status records
• Fax and email communication logs
• Order and fulfillment references
• Dosage and treatment information

RX Approvals uses PHI only for the purposes of providing our prescription management services and never sells, rents, or discloses PHI to unauthorized third parties.

The HIPAA Security Rule requires covered entities and business associates to implement technical safeguards to guard against unauthorized access to ePHI transmitted over electronic communications networks. RX Approvals implements the following:

• TLS 1.2+ Encryption in Transit — All data exchanged between users, our servers, and third-party services is transmitted over encrypted HTTPS connections.
• AES-256 Encryption at Rest — All stored PHI, including prescription PDFs and patient records, is encrypted at the storage layer.
• Role-Based Access Controls — Access to PHI is restricted to authorized users only. Pharmacy staff, clinic staff, and administrators each have distinct permission scopes.
• Session Authentication — User sessions are authenticated and time-limited. Inactive sessions are automatically terminated.
• Secure Fax Transmission — All prescription faxes are transmitted through SRFax, an enterprise-grade HIPAA-compliant fax network with full delivery confirmation and logging.
• Secure Email via AWS SES — Patient and clinic notifications are sent through Amazon Simple Email Service, which provides encrypted delivery, bounce tracking, and delivery logging.
• Audit Logging — Every action performed on a prescription record — creation, fax send, email send, approval, denial — is logged with a timestamp and user identity.
• Automatic Backups — Data is backed up automatically on a regular schedule with encrypted backup storage.

HIPAA requires physical safeguards to protect electronic systems, equipment, and data from natural and environmental hazards, and unauthorized intrusion. RX Approvals addresses physical safeguards through our cloud hosting infrastructure:

• Cloud-Hosted Infrastructure — RX Approvals is hosted on enterprise-grade cloud infrastructure with 24/7 physical security monitoring, biometric access controls, and redundant power systems.
• No Local PHI Storage — No PHI is stored on local workstations or removable media. All data resides in our secured cloud environment.
• Geo-Redundancy — Data is replicated across geographically separated data centers to ensure availability and resilience against physical failures.
• 99.9% Uptime SLA — Our infrastructure is maintained with a 99.9% uptime service level agreement, ensuring continuous availability of prescription workflow services.

Administrative safeguards are the policies and procedures that direct the conduct of the workforce and the selection, development, implementation, and maintenance of security measures. RX Approvals maintains the following administrative safeguards:

• Designated Privacy Officer — A designated HIPAA Privacy Officer is responsible for overseeing compliance with HIPAA Privacy and Security rules.
• Workforce Training — All personnel with access to PHI receive regular HIPAA training covering privacy rules, security practices, and breach reporting obligations.
• Risk Assessment Program — We conduct periodic risk assessments to identify and address potential vulnerabilities in our systems and processes.
• Minimum Necessary Standard — Access to PHI is limited to the minimum necessary to accomplish the intended business function. No employee has broader access than their role requires.
• Sanction Policy — Employees who violate HIPAA policies are subject to disciplinary action up to and including termination.
• Policy Review Cycle — All HIPAA-related policies and procedures are reviewed and updated at least annually or whenever there are significant changes to our operations or applicable regulations.

Under HIPAA, covered entities (such as veterinary clinics and pharmacies) that work with business associates (such as RX Approvals) are required to have a signed Business Associate Agreement (BAA) in place before any PHI may be shared.

RX Approvals provides a BAA to all covered entity clients as part of the onboarding process. The BAA defines:

• The permitted uses and disclosures of PHI by RX Approvals
• Our obligation to safeguard PHI in accordance with HIPAA requirements
• Reporting obligations in the event of a breach or security incident
• Provisions for the return or destruction of PHI upon termination of services
• Sub-contractor and subprocessor obligations (e.g., SRFax, AWS SES)

The HIPAA Breach Notification Rule requires business associates to notify covered entities of any breach of unsecured PHI without unreasonable delay and in no case later than 60 calendar days after discovery of the breach.

RX Approvals maintains a formal Breach Response Plan that includes:

• Incident Detection — Automated monitoring systems flag anomalous activity and potential security incidents in real time.
• Incident Assessment — Upon detection of a potential breach, our team conducts a risk assessment to determine the nature, scope, and impact of the incident.
• Notification to Covered Entities — If a breach is confirmed, we notify affected covered entity clients within the required timeframe with full incident details.
• Containment and Remediation — Immediate steps are taken to contain the breach, mitigate harm, and prevent recurrence.
• Post-Incident Review — All security incidents are followed by a post-incident review to improve safeguards and prevent similar events.

Under HIPAA, individuals have specific rights with respect to their PHI. While RX Approvals is a business associate (and not a covered entity), we support our covered entity clients in upholding these rights. Individual rights under HIPAA include:

• Right to Access — The right to inspect and obtain a copy of your PHI held by a covered entity.
• Right to Amend — The right to request corrections to inaccurate or incomplete PHI.
• Right to an Accounting of Disclosures — The right to receive a list of certain disclosures of your PHI made by a covered entity.
• Right to Request Restrictions — The right to request limits on how your PHI is used or disclosed.
• Right to Confidential Communications — The right to request that communications be made through alternative means or to alternative locations.

To exercise any of these rights, please contact your veterinary clinic or pharmacy directly, as they are the covered entity responsible for managing your health records. If you believe your rights have been violated, you may file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights (HHS OCR) at www.hhs.gov/ocr.