Terms of Service

1. Acceptance of Terms

By accessing or using HealthXfer's services, platform, or API (collectively, the “Service”), you agree to be bound by these Terms of Service (“Terms”) and all applicable laws and regulations. If you do not agree with any of these Terms, you are prohibited from using the Service.

These Terms constitute a legally binding agreement between you (and the organization you represent, if applicable) and HealthXfer, Inc. (“HealthXfer”, “we”, “us”, or “our”).

2. Service Description

HealthXfer provides a healthcare record exchange platform that facilitates the routing and fulfillment of medical record requests between healthcare organizations, their departments, and requestors.

HealthXfer is not a records custodian. We do not store, own, or maintain medical records or patient charts. Our platform acts as plumbing — routing requests to the appropriate fulfilling department and writing audit events to your EHR (e.g., Epic). The source of truth for all patient records remains with the Covered Entity.

We reserve the right to modify, suspend, or discontinue any aspect of the Service at any time with reasonable notice.

3. HIPAA Compliance

If you are a Covered Entity or Business Associate under HIPAA (the Health Insurance Portability and Accountability Act of 1996, as amended), you are responsible for ensuring your own organization's compliance with applicable HIPAA requirements, including the Privacy Rule, Security Rule, and Breach Notification Rule.

HealthXfer is available to enter into a Business Associate Agreement (BAA) with Covered Entities as required by HIPAA. Using the Service to transmit or process protected health information (PHI) without an executed BAA in place is a material breach of these Terms.

To request a BAA, contact legal@healthxfer.com.

4. User Responsibilities

You agree to:

• Provide accurate and complete information when registering and using the Service, including your organization name, contact details, and any required identifiers.
• Maintain the security and confidentiality of your API keys, credentials, and account access. You are solely responsible for all activity that occurs under your account. Notify us immediately of any unauthorized use at legal@healthxfer.com.
• Not use the Service to access, process, or transmit PHI for which you do not have proper authorization under HIPAA and applicable law.
• Ensure that all users within your organization who access the Service are trained on proper use and are bound by policies consistent with these Terms.
• Comply with all applicable federal, state, and local laws and regulations in connection with your use of the Service.

5. Data and Privacy

No permanent PHI storage. HealthXfer does not permanently store protected health information. Minimal identifiers (MRN and date of birth) used for patient lookup are encrypted and stored temporarily in a secure vault with a 72-hour time-to-live (TTL). PHI is deleted automatically after transfer is complete or upon TTL expiry, whichever comes first.

Audit logs. Audit logs recording request metadata (not patient records) are retained for 7 years in accordance with HIPAA requirements.

Your use of the Service is also governed by our Privacy Policy, which is incorporated into these Terms by reference.

6. Prohibited Uses

You may not use the Service to:

• Reverse engineer, decompile, disassemble, or attempt to discover the source code, algorithms, or underlying structure of the Service.
• Gain unauthorized access to any systems, networks, accounts, or data associated with HealthXfer or any third party.
• Use the Service for purposes other than legitimate healthcare record exchange and related healthcare operations.
• Transmit malicious code, viruses, or any software intended to damage or disrupt the Service or connected systems.
• Scrape, harvest, or collect data from the Service in an automated manner without express written consent from HealthXfer.
• Misrepresent your identity, organization, or authorization when submitting or fulfilling record requests.

7. Limitation of Liability

To the maximum extent permitted by applicable law, HealthXfer shall not be liable for any indirect, incidental, special, consequential, or punitive damages, including but not limited to loss of profits, data, use, goodwill, or other intangible losses, arising out of or in connection with your use or inability to use the Service.

HealthXfer's total cumulative liability to you for all claims arising out of or related to these Terms or the Service shall not exceed the greater of (a) the amounts paid by you to HealthXfer in the twelve months prior to the event giving rise to the claim, or (b) one hundred dollars ($100).

Some jurisdictions do not allow the exclusion or limitation of certain damages, so the above limitations may not apply to you.

8. Termination

HealthXfer may suspend or terminate your access to the Service at any time, with or without cause or notice, including for violation of these Terms.

You may terminate your account at any time by contacting us. Upon termination, your right to use the Service immediately ceases.

Provisions of these Terms that by their nature should survive termination shall survive, including but not limited to: ownership provisions, warranty disclaimers, indemnity, and limitations of liability.

9. Changes to Terms

We reserve the right to modify these Terms at any time. When we make changes, we will update the “Effective” date at the top of this page and, where the changes are material, we will provide additional notice (such as an email notification to account holders).

Your continued use of the Service after any changes to these Terms constitutes your acceptance of the new Terms. If you do not agree to the modified Terms, you must stop using the Service.

10. Contact

If you have questions about these Terms, please contact us at legal@healthxfer.com. For privacy-related inquiries, see our Privacy Policy.