Acceptable Use Policy
Effective Date: February 2026
Document Version: 2.0
This Acceptable Use Policy ("AUP") defines the permitted and prohibited uses of the Rymeda platform, operated by Rymeda, Inc. ("Rymeda," "we," "us"). This AUP is incorporated by reference into the Terms of Service ("Agreement") and applies to all users, organizations, providers, and administrators who access or use Rymeda services.
Rymeda is a healthcare platform that processes Protected Health Information ("PHI"). Violations of this AUP may constitute violations of federal and state law, including HIPAA (42 USC §1320d et seq.), the California Confidentiality of Medical Information Act ("CMIA," Cal. Civ. Code §56 et seq.), and the CCPA/CPRA (Cal. Civ. Code §1798.100 et seq.). Violations may result in enforcement actions up to and including permanent account termination and referral to regulatory or law enforcement authorities.
1. Permitted Uses
You may use the Rymeda platform for the following lawful purposes, subject to the terms of your subscription and the Agreement:
1.1 Healthcare Delivery
Providing, coordinating, and managing patient care within your licensed scope of practice. Accessing and updating patient records, clinical charts, vital signs, and care plans in accordance with your role-based access permissions.
1.2 Clinical Documentation
Creating, reviewing, and signing clinical notes (SOAP, progress, intake, discharge). Using AI-assisted documentation features — including voice transcription, AI-generated SOAP notes, and suggested ICD-10/CPT codes — subject to mandatory provider review and signature requirements described in the AI Transparency & Ethics Policy.
1.3 Billing & Revenue Cycle
Managing invoices, CPT/ICD-10 codes, insurance claims, and financial workflows for services rendered to patients. Billing access is limited to users with the biller role or higher per the platform's role-based access control.
1.4 Care Coordination
Coordinating patient care across providers within your organization. Using ORIS clinical AI for task prioritization, daily runbooks, and clinical decision support — subject to licensed provider oversight.
1.5 Marketplace
Browsing, purchasing, and reviewing healthcare products and services through the Rymeda marketplace. Vendors must maintain verified status and comply with marketplace policies.
1.6 Community & Social Features
Participating in professional healthcare community discussions, sharing knowledge, and networking with verified providers — subject to the Content Standards in Section 5 and community guidelines.
1.7 Administration & Compliance
Managing organization settings, user accounts, provider credentials, audit logs, and compliance workflows within your authorized administrative role.
2. General Prohibitions
The following activities are prohibited on the Rymeda platform. Violations may result in immediate enforcement action.
You shall NOT:
- 2.1 Illegal activity — Use the platform for any purpose that violates applicable federal, state, or local law, including HIPAA, CMIA, CCPA/CPRA, Anti-Kickback Statute (42 USC §1320a-7b), False Claims Act (31 USC §3729), or Stark Law (42 USC §1395nn).
- 2.2 Harassment & abuse — Engage in harassment, bullying, threats, intimidation, or any behavior that creates a hostile environment for other users, patients, or staff.
- 2.3 Discrimination — Discriminate against any individual based on race, color, national origin, sex, age, disability, religion, gender identity, sexual orientation, or any other protected characteristic under federal or state law.
- 2.4 Fraud & misrepresentation — Submit false claims, fabricate credentials, impersonate another person or entity, or misrepresent your qualifications, licensure status, or organizational affiliation.
- 2.5 Unauthorized access — Access, use, or disclose PHI or personal data except as authorized by the BAA, applicable law, and your assigned role-based permissions.
- 2.6 Hate speech — Post, transmit, or distribute content that promotes hatred, violence, or discrimination against individuals or groups based on protected characteristics.
- 2.7 Spam & unsolicited communications — Send unsolicited bulk messages, phishing attempts, promotional content, or commercial solicitations through platform communication channels.
- 2.8 Scams & deception — Engage in deceptive practices, pyramid schemes, fraudulent billing, or any activity designed to defraud users, patients, payers, or Rymeda.
- 2.9 Privacy violations — Share, publish, or disclose another user's personal information, credentials, clinical data, or account details without authorization.
- 2.10 Copyright infringement — Upload, distribute, or transmit copyrighted material without the rights holder's permission, or claim authorship of others' work.
3. Clinical Prohibitions
The following clinical-specific prohibitions apply to all users who access clinical features of the Rymeda platform. These prohibitions are in addition to — not in lieu of — obligations under HIPAA, CMIA, and applicable medical practice acts.
Clinical Prohibitions:
- 3.1 Practicing without license — Performing clinical activities (ordering labs, prescribing, diagnosing, signing clinical notes) without holding a valid, unrestricted license in the applicable jurisdiction. Provider credentials are verified through NPI/NPPES validation and document verification before clinical access is granted.
- 3.2 False credentials — Submitting false, expired, revoked, or suspended credentials during provider onboarding or verification. This includes fabricating NPI numbers, license numbers, DEA registrations, board certifications, or institutional affiliations. Credential fraud is reported to applicable licensing boards and law enforcement.
- 3.3 Unauthorized PHI access — Accessing patient records, clinical charts, voice notes, or clinical notes for patients not under your direct care, except as required by your role-based permissions. The platform enforces minimum necessary access per 45 CFR §164.502(b) through nine clinical sub-roles (physician, NP, PA, RN, therapist, biller, front_desk, org_admin, owner) with scoped permissions.
- 3.4 Circumventing RBAC — Attempting to access clinical functions, PHI, or administrative features beyond your assigned role. This includes privilege escalation, session hijacking, token manipulation, or exploiting platform vulnerabilities to gain elevated access.
- 3.5 Using AI without provider review — Treating AI-generated content (transcriptions, SOAP notes, suggested diagnoses, ICD-10/CPT codes) as final clinical documentation without review and signature by a licensed provider (Physician, NP, or PA with "full" clinical access). AI outputs carry "AI_DRAFT — REQUIRES PROVIDER REVIEW" status and must not be used for clinical decisions until reviewed and signed.
- 3.6 Recording without consent — Creating voice recordings of clinical encounters without obtaining appropriate consent as required by California Penal Code §632 (two-party consent) and the three-consent model described in the Patient Consent Policy.
- 3.7 Unauthorized data export — Exporting, downloading, or transferring patient data or clinical records outside the platform except through authorized data export functions with appropriate audit logging.
4. Technical Prohibitions
The following technical activities are prohibited. These prohibitions are enforced through technical controls (rate limiting, WAF, DDoS mitigation) and automated monitoring.
4.1 Reverse Engineering
Reverse-engineering, decompiling, disassembling, or attempting to derive the source code of the Rymeda platform, API, AI models, or any proprietary algorithms. This includes attempting to extract model weights, training data, or system prompts from AI features.
4.2 Scraping & Automated Access
Using bots, scrapers, crawlers, spiders, or any automated means to access, collect, or extract data from the platform without prior written authorization. This includes automated credential stuffing, account enumeration, or bulk data harvesting.
4.3 Exceeding Rate Limits
Intentionally exceeding API rate limits or circumventing rate limiting mechanisms. The platform enforces per-endpoint rate limits to ensure fair access and system stability. See Section 6 for rate limit details.
4.4 Vulnerability Exploitation
Exploiting security vulnerabilities, bugs, or misconfigurations in the platform. If you discover a vulnerability, report it to security@rymeda.com per our responsible disclosure policy. Unauthorized penetration testing is prohibited.
4.5 Malware & Malicious Code
Uploading, transmitting, or distributing viruses, worms, trojans, ransomware, spyware, keyloggers, or any code designed to disrupt, damage, intercept, or gain unauthorized access to the platform or users' systems.
4.6 Denial of Service
Initiating or participating in distributed denial-of-service (DDoS) attacks, resource exhaustion attacks, or any activity designed to disrupt platform availability for other users. The platform employs WAF protection, DDoS mitigation, and API Gateway rate limiting.
4.7 Unauthorized Integrations
Connecting unauthorized third-party applications, plugins, or services to the Rymeda platform or API without written authorization. Unauthorized integrations may compromise PHI security and violate the Business Associate Agreement.
5. Content Standards
All content posted, shared, or transmitted through the Rymeda platform — including community posts, comments, profile information, marketplace listings, and clinical documentation — must comply with the following standards:
5.1 Clinical Content
- Accuracy — Clinical documentation must be accurate, complete, and contemporaneous. Providers are responsible for verifying AI-generated content before signing.
- Evidence-based — Clinical recommendations shared in community forums must be evidence-based and clearly identified as professional opinion where applicable.
- No misleading claims — Users must not make unsubstantiated medical claims, promote unproven treatments, or disseminate medical misinformation.
- PHI redaction — Community posts, forum discussions, and marketplace interactions must not contain identifiable patient information. The platform employs automated PHI redaction, but users are responsible for ensuring PHI is not disclosed in free-text fields.
5.2 Professional Communication
- Professional tone — All communications must be professional, respectful, and appropriate for a healthcare setting.
- No personal attacks — Critique ideas, not individuals. Ad hominem attacks, name-calling, and personal insults are prohibited.
- Constructive feedback — Marketplace reviews, peer feedback, and forum responses must be constructive and factually based.
- Appropriate media — Uploaded images, documents, and files must be relevant to healthcare use and comply with platform content guidelines. Nudity, violence, and graphic content are prohibited outside of legitimate clinical contexts.
5.3 Marketplace Content
- Accurate listings — Product and service descriptions must accurately represent the offering, pricing, and capabilities.
- Honest reviews — Reviews must reflect genuine experience. Fake reviews, review manipulation, and review exchange arrangements are prohibited.
- Regulatory compliance — Listed products and services must comply with applicable FDA, FTC, and state regulations.
AI Content Moderation: Rymeda uses AI-assisted content moderation to detect policy violations. Content flagged with high confidence (≥ 85%) may be automatically actioned. Content flagged with medium confidence (60–85%) is queued for human review. All moderation actions are logged and appealable per Section 9.
6. Rate Limits & Fair Use
Rymeda enforces rate limits to ensure fair access, platform stability, and protection against abuse. Rate limits are applied per user and per IP address.
| Endpoint Category | Rate Limit | Notes |
|---|---|---|
| Global Default | 200 requests/minute | Applies to all API endpoints unless overridden |
| Authentication & Account | 5 requests/minute | Login, registration, password reset, account management |
| General API Operations | 10 requests/minute | Standard CRUD operations on platform resources |
| Sensitive Operations | 3 requests/minute | Data export, bulk operations, credential verification |
| AI & Voice Processing | Per subscription tier | Transcription, report generation, ORIS queries — subject to fair use and subscription limits |
When a rate limit is exceeded, the API returns HTTP 429 (Too Many Requests) with a Retry-After header indicating when the limit resets. Repeated or intentional rate limit violations may result in temporary rate limiting at the account level or IP-based blocking.
Enterprise customers requiring higher rate limits may negotiate custom limits through their Enterprise Agreement. Contact inquiry@rymeda.com for details.
7. Account Restrictions
The following account-level restrictions apply to all users:
7.1 One Account Per Person
Each individual must use a single account. Creating multiple accounts to circumvent enforcement actions, rate limits, or access restrictions is prohibited. Multiple accounts associated with the same individual ("ban evasion") will be detected and terminated.
7.2 No Credential Sharing
Login credentials (username, password, MFA tokens) are personal and non-transferable. Sharing credentials with another person — including colleagues, staff, or contractors — is prohibited. Each user who accesses the platform must have their own account with appropriate role-based permissions. Credential sharing undermines audit trail integrity and HIPAA access controls.
7.3 Accurate Account Information
Users must provide accurate, complete, and current account information, including name, email, professional credentials, and organizational affiliation. You must update your account information promptly if any details change.
7.4 Multi-Factor Authentication
Users with access to clinical features or PHI must enable multi-factor authentication (MFA). Disabling MFA on clinical accounts may result in access suspension until MFA is re-enabled.
7.5 Session Security
Users must sign out when leaving shared or public workstations. Unattended sessions with access to PHI violate HIPAA's workstation security requirements (45 CFR §164.310(c)). The platform enforces automatic session expiry for inactive sessions.
8. Enforcement
Rymeda reserves the right to investigate suspected AUP violations and take enforcement actions proportionate to the severity of the violation. All enforcement actions are logged in immutable audit trails.
8.1 Enforcement Actions
The following enforcement actions may be taken, individually or in combination, based on the nature and severity of the violation:
| Action | Description | Typical Use |
|---|---|---|
| Warning | Written notice of the violation with required corrective action. | First-time minor violations, content guideline infractions |
| Content Removal | Removal of specific content that violates this AUP. | Policy-violating posts, misleading marketplace listings |
| Mute | Temporary restriction on posting, commenting, or community participation. | Repeated content violations, harassment |
| Rate Limit | Reduced API and feature access limits applied to the account. | Abuse of API endpoints, automated access attempts |
| Feature Restriction | Specific features or modules disabled for the account. | Misuse of specific features (marketplace, AI, community) |
| Suspension | Temporary account lockout for a defined duration. Data is preserved. | Serious violations, pending investigation, repeated infractions |
| Permanent Ban | Permanent account termination. May include data deletion per retention policy. | Egregious violations, criminal activity, repeated suspensions |
| Legal Referral | Referral to law enforcement, licensing boards, or regulatory authorities. | Criminal activity, credential fraud, HIPAA violations, patient harm |
8.2 Escalation Progression
For non-egregious violations, enforcement generally follows a progressive escalation:
Warning → Content Removal / Mute → Feature Restriction → Suspension → Permanent Ban
Each enforcement action reduces the user's trust score. The trust score is calculated based on active enforcement actions and reports. Users with critically low trust scores may face preemptive restrictions.
8.3 Immediate Action
Rymeda may bypass progressive escalation and take immediate suspension or ban for egregious violations, including:
- Unauthorized PHI disclosure or data breach.
- Credential fraud or practicing without a valid license.
- Criminal activity (fraud, identity theft, hacking).
- Threats of violence or imminent harm to patients or users.
- Child sexual abuse material (CSAM) — reported to NCMEC and law enforcement immediately.
- Ban evasion (creating new accounts after permanent ban).
8.4 Notification
Users will be notified of enforcement actions via email to their registered email address. Notifications will include the nature of the violation, the enforcement action taken, the duration (if temporary), and information about the appeal process. For account suspensions and bans, notification is provided at the time of action or as soon as reasonably practicable.
9. Appeal Process
Users who believe an enforcement action was taken in error or was disproportionate may appeal the decision.
9.1 Filing an Appeal
Appeals must be submitted in writing to legal@rymeda.com within thirty (30) days of the enforcement action. The appeal must include: the date of the enforcement action, a description of the contested action, the reason you believe the action was incorrect or disproportionate, and any supporting evidence.
9.2 Review Process
Appeals are reviewed by the Rymeda Compliance Committee, which includes members independent of the original enforcement decision. The committee will review the original violation evidence, the enforcement action taken, and the appeal submission.
9.3 Timeline
Rymeda will acknowledge receipt of the appeal within five (5) business days and provide a final determination within fifteen (15) business days of receipt. If additional investigation is required, the user will be notified of the extended timeline.
9.4 Possible Outcomes
The Compliance Committee may: (a) uphold the original action; (b) reduce the severity of the action (e.g., ban → suspension, suspension → warning); (c) reverse the action entirely and restore full access; or (d) modify the action (e.g., adjust duration). The committee's determination is final.
9.5 Interim Access
During the appeal period, the enforcement action remains in effect unless the Compliance Committee grants interim relief. For suspensions involving clinical providers with active patients, Rymeda will work with the organization to ensure continuity of patient care during the appeal process.
10. Reporting Violations
If you become aware of any violation of this AUP, you are encouraged to report it promptly.
| Violation Type | Report To | Method |
|---|---|---|
| Security incidents, PHI exposure | Security Team | security@rymeda.com |
| Content violations, harassment, spam | Trust & Safety | In-platform report button or legal@rymeda.com |
| Credential fraud, licensing violations | Compliance | legal@rymeda.com |
| Billing fraud, false claims | Compliance | legal@rymeda.com |
| General AUP violations | Legal | legal@rymeda.com |
Reports may be submitted anonymously. Rymeda does not retaliate against users who report violations in good faith. All reports are investigated and documented in the compliance audit trail.
11. Monitoring & Detection
Rymeda employs a combination of automated and manual monitoring to detect AUP violations:
- AI-powered content moderation — Automated classification of user-generated content against policy categories (spam, harassment, hate speech, misinformation, and others). High-confidence violations (≥ 85%) are auto-actioned; medium-confidence flags (60–85%) are queued for human review.
- Anomaly detection — Automated detection of unusual access patterns, bulk data operations, credential abuse, and rate limit violations.
- Audit logging — Immutable, tamper-evident audit trails for all user actions, data access, and administrative operations. Audit logs are retained for six (6) years per HIPAA requirements.
- Trust scoring — Real-time trust score calculation based on enforcement history, reports, and account behavior. Trust score impacts available features and moderation thresholds.
- User reports — Community-driven reporting through in-platform moderation report functionality.
All monitoring activities comply with the Privacy Policy and are conducted in accordance with applicable law. Monitoring is designed to protect user safety, platform integrity, and PHI security — not to surveil users' clinical judgment or professional communications.
12. Changes to This Policy
Rymeda may update this AUP from time to time. Material changes — including new prohibitions, changes to enforcement procedures, or modifications to the appeal process — will be communicated at least thirty (30) days in advance via email and in-platform notification. Continued use of the platform after the effective date of changes constitutes acceptance of the updated AUP.
Contact
For questions about this Acceptable Use Policy, to report violations, or to file an appeal: