Acceptable Use Policy

EnWella Health Platform Effective Date: [INSERT DATE] Last Updated: [INSERT DATE]

Purpose

This Acceptable Use Policy ("AUP") defines standards of conduct for all users of the EnWella electronic health record platform. These standards protect the security, privacy, and integrity of patient health information, ensure compliance with applicable law, and maintain a trustworthy environment for all users.

All users — including healthcare providers, clinical and administrative staff, patients, and any authorized representatives — must comply with this AUP. Violations may result in account suspension, termination, and/or referral to law enforcement or licensing authorities.

This AUP supplements and is incorporated into the Terms of Service.

1. Authorized Use

The EnWella platform is authorized only for the following purposes:

1.1 Clinical and Administrative Use (Providers and Staff)

Managing electronic health records for patients under your care at an enrolled Practice
Clinical documentation, including notes, orders, prescriptions, and clinical summaries
Appointment scheduling and calendar management
Medical billing, claims management, and payment processing
Secure, HIPAA-compliant communication with patients and care team members
Uploading and managing clinical documents and attachments
Completing and sending intake forms, consent documents, and clinical surveys
Accessing administrative and practice management functions within your assigned role

1.2 Patient Use

Viewing health records and clinical summaries shared by your provider
Completing intake forms, consent documents, and surveys
Sending and receiving secure messages with your care team
Viewing and paying invoices for services rendered
Downloading copies of your records for personal use

1.3 All Users

Any use expressly authorized in writing by EnWella

2. Prohibited Conduct

The following conduct is strictly prohibited and will result in immediate account suspension and possible termination:

2.1 Privacy and PHI Violations

Unauthorized access: Accessing PHI without clinical or administrative necessity ("snooping") — including accessing records of family members, coworkers, celebrities, public figures, or any individual not under your care
Impermissible disclosure: Sharing, forwarding, printing, or otherwise disclosing PHI to unauthorized individuals (including family members of staff unless specifically authorized)
Minimum necessary violation: Accessing more PHI than is necessary for your assigned job function
Exfiltration: Downloading, copying, or transmitting patient records in bulk or for purposes other than providing care or practice operations
Using PHI for personal gain: Using patient contact information for personal marketing, solicitation, or any non-clinical purpose
Photography: Taking photos or screenshots of patient records on personal devices without explicit authorization from your Practice's Privacy Officer
Social media: Posting any patient-identifiable information, even in a seemingly anonymized form, on any social media platform

2.2 Security Violations

Credential sharing: Sharing login credentials with any other person, including colleagues. Each user must have their own account.
Unauthorized access attempts: Attempting to access accounts, records, or system areas you are not authorized to access
Bypassing security controls: Attempting to disable, circumvent, or bypass authentication, audit logging, encryption, or any other security control
Malware: Uploading or transmitting malicious code, viruses, ransomware, or other harmful software
Session abandonment: Leaving an active session unattended on a shared or public computer
Unsecured devices: Accessing the platform from a device without a password/PIN, current security patches, or from an unsecured public Wi-Fi network without a VPN (if required by your Practice)
Unauthorized integrations: Connecting unauthorized third-party applications to the platform through the API or OAuth without Practice administrator and EnWella approval

2.3 Fraudulent and Abusive Conduct

False records: Creating, altering, destroying, or falsifying medical records or any entries in the platform
Upcoding / fraudulent billing: Submitting claims with false or inflated diagnoses, procedures, or dates of service
Identity fraud: Accessing the platform under a false identity or impersonating another user or patient
Unauthorized prescription activity: Using the platform to facilitate prescription fraud or to prescribe medications without a valid patient–provider relationship
Kickbacks: Using the platform to facilitate payment arrangements that violate the Anti-Kickback Statute or Stark Law

2.4 System Integrity Violations

Reverse engineering: Attempting to reverse engineer, decompile, disassemble, or extract source code from the platform
Automated access: Using bots, scrapers, crawlers, or automated scripts to access the platform without written authorization from EnWella
Load testing/DoS: Intentionally overloading the platform's systems, including launching denial-of-service attacks
Vulnerability exploitation: Exploiting any security vulnerability (report vulnerabilities to [SECURITY_EMAIL] — responsible disclosure is encouraged)
Data manipulation: Attempting to corrupt, destroy, or manipulate any data stored in the platform

2.5 Inappropriate Content

Uploading content that is obscene, harassing, discriminatory, or illegal
Using the secure messaging feature to harass, threaten, or intimidate patients or other users
Using the platform for any purpose unrelated to healthcare delivery or practice management

2.6 Legal Violations

HIPAA violations: Any use of the platform that violates HIPAA or applicable state health privacy law
Regulatory violations: Practicing medicine without a license, prescribing controlled substances illegally, or other violations of professional licensing requirements
Unlawful discrimination: Refusing or limiting care on the basis of race, color, national origin, sex, age, or disability in violation of federal or state civil rights law
Export controls: Exporting patient data to countries subject to U.S. trade sanctions or export control restrictions without required authorization

3. Special Considerations for Specific Features

3.1 Gmail Integration

The Gmail integration is provided to enable patient communication from an authorized practice email account. Users must NOT: - Use personal Gmail accounts for patient communication unless your Practice has authorized this and the account is covered by a Google Workspace HIPAA BAA - Send PHI through Gmail unless the account is specifically covered by your Practice's Google Workspace BAA - Use Gmail integration to circumvent the platform's secure messaging audit trail

3.2 Document Upload

Users may upload only: - Clinically relevant documents that are part of the patient's medical record - Documents for which you have authorization to upload (e.g., records received from other providers with patient consent)

You must NOT upload: - Copyrighted materials you do not have rights to use - Documents containing PHI of patients other than the patient to whose record you are uploading - Files larger than [MAX_FILE_SIZE] without prior authorization

3.3 Billing Functions

Billing users must: - Submit only accurate and truthful claims - Correct or void claims promptly upon discovering errors - Comply with payer contracts, CMS guidelines, and all applicable billing regulations - Not knowingly submit claims for services not rendered

3.4 Patient Portal

Patients must use the Patient Portal only to communicate with their own care team and access their own records. Patients must NOT: - Attempt to access records of other patients - Use the messaging feature to request prescriptions for controlled substances without an established patient–provider relationship - Submit false medical history or intake information

4. Reporting Obligations

All users are required to report the following immediately to your Practice's Privacy Officer or Security Officer (and to EnWella at [SECURITY_EMAIL]):

Any known or suspected unauthorized access to PHI
Any lost or stolen device that was used to access the platform
Any suspected phishing attack, malware infection, or security incident
Any suspected breach of PHI, including inadvertent disclosures
Any suspected violation of this AUP by another user

Failure to report known security incidents may itself constitute a violation of this AUP and your professional obligations under HIPAA.

5. Responsible Disclosure

If you discover a security vulnerability in the EnWella platform, we encourage responsible disclosure:

Do NOT exploit the vulnerability or access/disclose any PHI encountered
Report the vulnerability promptly to [SECURITY_EMAIL] with a detailed description
Allow EnWella a reasonable period to investigate and remediate before any public disclosure
EnWella will acknowledge receipt within 2 business days and provide updates on remediation

Responsible disclosure reporters who follow these guidelines will not face legal action from EnWella. Those who exploit vulnerabilities may face legal consequences.

6. Monitoring and Enforcement

6.1 Audit Logging

All access to and modification of records in the platform is logged. EnWella and Practice administrators may review audit logs to investigate suspected policy violations, security incidents, and HIPAA compliance issues.

You have no expectation of privacy in your use of the EnWella platform for work purposes. Audit logs may be used in internal investigations, legal proceedings, and regulatory actions.

6.2 Monitoring

EnWella reserves the right to monitor the platform for security threats, fraudulent activity, policy violations, and legal compliance. Monitoring may include analysis of usage patterns and automated threat detection.

6.3 Enforcement

Violations of this AUP may result in: - Warning: Formal written warning and mandatory training - Temporary suspension: Account suspended pending investigation - Permanent termination: Account permanently disabled - Legal referral: Referral to law enforcement or professional licensing authorities - Civil liability: EnWella may pursue civil remedies for damages caused by AUP violations - Regulatory reporting: Reporting to HHS OCR for HIPAA violations where required

Severity of response will be proportionate to the violation and its impact. Deliberate, malicious, or repeated violations will result in immediate termination.

7. Workforce Training Requirements

Before accessing the platform, all workforce members of an enrolled Practice must: - Complete HIPAA Privacy and Security training as required by your Practice - Read and acknowledge this Acceptable Use Policy - Be assigned a unique user account with appropriate role-based permissions - Complete any platform-specific training required by your Practice administrator

Patients are encouraged to read the Patient Portal Guide (available within the Patient Portal) before using the platform.

8. BYOD (Bring Your Own Device)

If your Practice permits access to the platform from personal devices ("BYOD"), the following minimum requirements apply to all personal devices:

Password or biometric lock enabled
Current OS version with security patches applied
Reputable antivirus/endpoint protection software
No unauthorized access from jail-broken or rooted devices
Remote wipe capability enabled (where technically feasible)
Automatic screen lock after no more than 5 minutes of inactivity

Your Practice may impose additional BYOD requirements. EnWella is not responsible for security incidents arising from access via inadequately secured personal devices.

9. Updates

This AUP may be updated at any time. Material changes will be communicated with at least 30 days' notice. Continued use of the platform after the effective date of updated AUP constitutes acceptance.

10. Contact

For questions about this policy or to report a violation:

EnWella Security Team: [SECURITY_EMAIL] Privacy Team: [PRIVACY_EMAIL] Legal Team: [LEGAL_EMAIL]