Privacy Statement

Protecting patient trust is non-negotiable

RxEcho is purpose-built for pain clinics that require HIPAA-compliant tooling. This statement explains how we collect, use, and safeguard information across our platform.

Information We Collect

  • Account and profile details provided by clinic staff and prescribers.
  • Patient demographics and prescription metadata required for care coordination.
  • SMS conversation content for audit trails and medication issue tracking.
  • Usage analytics that help us improve feature performance (aggregated and anonymized).

How We Use Information

  • Deliver RxEcho services, including medication issue detection, SMS automation, and e-prescribing workflows.
  • Provide secure dashboards for clinic teams with role-based permissions.
  • Send operational communications, alerts, and confirmations tied to prescription status.
  • Comply with legal, regulatory, and accreditation requirements.

Sharing & Third Parties

  • Supabase (HIPAA-ready PostgreSQL) for encrypted data storage and RLS enforcement.
  • Twilio for secure SMS transport with webhook signing and delivery records.
  • Google Gemini AI strictly for conversation assistance; PHI is minimized and encrypted in transit.
  • Other service providers only when needed to deliver RxEcho features, bound by confidentiality obligations.

Data Security & HIPAA Alignment

  • • AES-256 encryption at rest via Supabase-managed PostgreSQL.
  • • TLS 1.2+ encryption for all data in transit.
  • • Row Level Security policies restrict data by tenant and role.
  • • Access logging and audit-ready timestamps on all medication activity.

SMS & Patient Communications

RxEcho routes SMS through Twilio with webhook signature validation. Patients can opt out at any time by replying STOP, and all conversations are retained for audit purposes according to clinic policy.

We limit PHI exposure in text messages, aggregate analytics whenever possible, and provide administrative controls to delete or export conversation histories.

Your Choices

Clinics can request data exports, corrections, or deletion of non-regulatory records by contacting our support team. Patients can update their communication preferences through their clinic. We review this statement regularly and will post updates with a new effective date when changes occur.

Contact

For privacy questions or PHI concerns, email compliance@rxecho.health. Please include your clinic name, point of contact, and a brief summary so we can respond within two business days.