WithinEHR Legal Policies

Effective: May 26, 2025 • Last Updated: May 26, 2025

Privacy Policy

This Privacy Policy describes how WithinLabs, Inc. (“Company”, “we”, or “us”), the provider of the WithinEHR platform (“WithinEHR”, “Platform”, or “Service”), collects, uses, stores, and protects the personal and protected health information (PHI) of users who access or use our Platform, available at www.withinehr.com.

By using the Platform, you agree to the terms of this Privacy Policy and consent to the collection and use of your information as described herein.

Information Collected:

  • Identifying information Name, email, phone number, address, and practice details.
  • Health information: Patient data entered by users, including PHI protected by HIPAA.
  • Technical information: Patient data entered by users, including PHI protected by HIPAA. .

Use of Information:

  • To operate, maintain, and improve the Platform.
  • To support care, management, and billing.
  • To comply with applicable laws and enforce our Terms of Use.

Data Sharing:

  • With authorized subprocessors under Business Associate Agreements (BAAs). .
  • As required by legal or regulatory authorities.
  • With user consent or at the user’s explicit direction.

Data Retention

  • PHI and personal data are retained only as long as necessary for service delivery or legal obligations.

Data Protection:

  • AES-256 encryption at rest, TLS 1.2+ encryption in transit.
  • Access control, audit logging, and intrusion detection systems.
  • Third-party penetration testing and internal security reviews.

International Users:The Platform is operated in the United States and is intended for use by U.S.-based healthcare providers. Data may be transferred to the U.S. for processing.

Children’s Privacy: The Platform is not intended for use by individuals under the age of 13. We do not knowingly collect data from children.

Contact: Questions may be directed to [email protected].

Security Policy

Effective: May 26, 2025 • Last Updated: May 26, 2025

At WithinLabs, Inc., security is core to everything we build. We maintain administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of information on the WithinEHR Platform.

Key Measures:

  • AES-256 encryption for data at rest and TLS 1.2+ for data in transit.
  • ole-based access control (RBAC), MFA, and zero-trust network architecture.
  • SOC2-aligned controls and annual third-party audits.
  • Regular vulnerability scans, penetration testing, and real-time threat monitoring.

Incident Response:

  • Formal breach response policy with 24/7 monitoring.
  • Notification to affected users and Covered Entities within applicable HIPAA timelines.
  • Root cause analysis and remediation plan implemented for each event. Compliance Standards:
  • HIPAA Security Rule
  • NIST SP 800-53
  • SOC2 Type II readiness
  • Business Associate Agreements signed with relevant parties

Business Policy

Effective: May 26, 2025 • Last Updated: May 26, 2025

This Business Policy outlines expectations and conditions governing access to and use of the WithinEHR Platform, operated by WithinLabs, Inc.

  • Eligibility:Access is limited to authorized healthcare providers, licensed clinicians, and verified staff of Covered Entities.
  • Account Responsibilities: sers must maintain confidentiality of login credentials.
  • Organizations are responsible for activity under their accounts, including employee access.
  • Prohibited Actions:
  • Unauthorized disclosure of PHI, data scraping, reverse-engineering, or malicious activities.
  • Violations may result in account suspension or termination.
  • Surpport: Customer support is available via email and in-app chat, with response times based on priority severity (critical: 4 hours, standard: 48 hours).
  • Amendments: We may modify this Business Policy. Updates will be communicated via the Platform or email.

Business Associate Agreement (BAA)

Effective: May 26, 2025 • Last Updated: May 26, 2025

This Business Associate Agreement (“Agreement”) is entered into by and between the Covered Entity (“Covered Entity”) and WithinLabs, Inc. (“Business Associate”), in accordance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and its implementing regulations.

  • Scope: This Agreement governs the handling of PHI disclosed by Covered Entity to Business Associate through the WithinEHR Platform.
  • Permitted Uses:Business Associate may use PHI solely to perform functions, activities, or services for the Covered Entity as specified in the underlying Service Agreement.
  • Obligations Implement reasonable and appropriate safeguards.
  • Report any breach or unauthorized access to PHI within 5 business days.
  • Ensure subcontractors agree to same restrictions and conditions.
  • Audit Right: Covered Entity may request an audit to confirm compliance with this Agreement.
  • Termination:Upon termination, Business Associate will return or destroy PHI unless retention is required by law.
  • Governing Law: This Agreement is governed by HIPAA and the laws of the State of Texas.

Terms of Use

Effective: May 26, 2025 • Last Updated: May 26, 2025

These Terms of Use (“Terms”) govern your access and use of the WithinEHR platform (“Service”) provided by WithinLabs, Inc. (“Company”).

  • Acceptance: By accessing the Service, you agree to be bound by these Terms and our Privacy Policy.
  • License: We grant you a non-exclusive, non-transferable, revocable license to use the Service solely for healthcare-related and lawful purposes.
  • User Responsibilities: Maintain accurate information in your account.
  • Comply with HIPAA, applicable healthcare laws, and these Terms.
  • Do not share credentials, resell access, or misuse the Service.
  • Limitation of Liability: Disputes will be resolved through binding arbitration in Dallas County, Texas, under AAA rules.
  • The Service is provided “as is”. Company disclaims all warranties, express or implied.
  • In no event will the Company's liability exceed the fees paid in the past 12 months.
  • Indemnification: You agree to indemnify and hold harmless WithinLabs, Inc. against any third-party claims arising from your use of the Service.
  • Dispute Resolution: Disputes shall be resolved through binding arbitration in Dallas County, Texas, in accordance with the American Arbitration Association rules.
  • Modifications: These Terms may be updated. Continued use of the Service constitutes acceptance of the revised Terms.