REFERRAL CONDUIT ACCEPTABLE USE POLICY (AUP)
Last Updated: November 22, 2025
1. PURPOSE & SCOPE
This Acceptable Use Policy ("AUP") governs the use of Referral Conduit, LLC's ("Referral Conduit") healthcare referral management platform and SMS services. This AUP applies to all users including healthcare providers, practice administrators, staff members, and patients who interact with our platform.
By using Referral Conduit services, you agree to comply with this AUP. Violations may result in suspension or termination of services.

2. PERMITTED USES
Referral Conduit services may ONLY be used for:
2.1 Healthcare Coordination
Managing patient referrals between healthcare providers
Sending appointment reminders and confirmations
Providing referral status updates
Communicating appointment instructions
Facilitating care coordination and transitions
Scheduling and rescheduling appointments
2.2 Transactional Communications
Account notifications related to active referrals
Service updates and operational messages
Response to patient inquiries
Two-way appointment scheduling conversations
Customer support communications
2.3 Compliance & Administrative
Collecting and documenting patient consent
Maintaining audit trails
Generating compliance reports
Managing opt-in/opt-out preferences

3. PROHIBITED USES
The following uses are STRICTLY PROHIBITED:
3.1 Illegal Activities
Any activity that violates federal, state, or local laws
HIPAA violations or unauthorized PHI disclosure
Identity theft or impersonation
Fraud or misrepresentation
Stalking, harassment, or threats
Distribution of controlled substances without proper authorization
3.2 Unauthorized Marketing
Sending unsolicited marketing or promotional messages
SMS spam or bulk messaging without consent
Telemarketing or sales calls/texts
Third-party advertising
Lead generation or list building
Affiliate marketing schemes
3.3 Harmful Content
Pornographic or sexually explicit content
Hate speech or discriminatory content
Content promoting violence or self-harm
Misinformation or health fraud
Phishing or social engineering attempts
Malware, viruses, or malicious code
3.4 Platform Abuse
Circumventing security measures or access controls
Unauthorized access to accounts or data
Denial of service attacks or network disruption
Scraping or automated data collection
Reverse engineering or decompiling software
Creating fake accounts or multiple identities
Sharing login credentials inappropriately
3.5 Consent Violations
Sending messages without proper opt-in consent
Ignoring opt-out requests (STOP commands)
Fabricating or misrepresenting consent
Purchasing or using third-party contact lists
Sharing opt-in status across unrelated businesses
Embedding consent in unrelated agreements
3.6 Privacy Violations
Unauthorized sharing of patient information
Disclosure of PHI for non-treatment purposes
Selling or renting patient contact information
Using patient data for purposes beyond the original consent
Failing to implement appropriate security measures
Unauthorized access to patient records
3.7 Content Restrictions
False or misleading medical information
Unauthorized medical advice
Drug diversion or illegal prescriptions
Unproven or fraudulent treatments
Medical identity theft
Insurance fraud

4. HEALTHCARE-SPECIFIC REQUIREMENTS
4.1 HIPAA Compliance
All users must:
Execute a Business Associate Agreement (BAA) if applicable
Implement appropriate administrative, physical, and technical safeguards
Limit PHI transmission to minimum necessary information
Maintain audit logs of PHI access and disclosure
Report breaches within required timeframes
Train staff on HIPAA requirements annually
Conduct risk assessments regularly
4.2 Patient Safety
Never use SMS for medical emergencies
Include 911 emergency language in communications
Avoid transmitting sensitive diagnoses or test results via SMS
Do not provide medical advice via SMS without proper context
Ensure messages are clear and cannot be misinterpreted
Respond to patient concerns appropriately and timely
4.3 Consent Management
Obtain clear, affirmative opt-in consent before sending messages
Make consent separate from other agreements
Brand all opt-in requests with provider name
Document consent with date, time, and method
Honor opt-out requests immediately (within minutes, not hours)
Maintain opt-out records permanently
Provide clear STOP and HELP functionality
4.4 Message Content Standards
Identify sender clearly in every message
Keep messages professional and appropriate
Avoid medical jargon when possible
Include essential information only
Provide actionable next steps
Include contact information for questions
Add opt-out instructions when appropriate

5. TCPA COMPLIANCE REQUIREMENTS
5.1 Consent Requirements
Obtain prior express written consent for all SMS messages
Consent must be clear and conspicuous
Consent cannot be a condition of service (unless truly required)
Disclose message frequency honestly
Disclose that message and data rates may apply
Provide clear opt-out mechanism
5.2 Timing Restrictions
Send messages only between 8 AM and 9 PM recipient's local time
Respect quiet hours for non-urgent messages
Consider time zones for multi-state practices
5.3 Message Frequency
Honor disclosed message frequency
Do not send excessive messages
Reasonable frequency based on use case (referral activity)

6. SECURITY REQUIREMENTS
6.1 Account Security
Users must:
Use strong, unique passwords
Enable multi-factor authentication (MFA) when available
Not share login credentials
Log out of shared devices
Report suspicious activity immediately
Review access logs regularly
6.2 Data Protection
Encrypt sensitive data in transit and at rest
Use secure networks (no public Wi-Fi for PHI access)
Implement role-based access controls
Regularly update software and security patches
Conduct security training for staff
Have incident response procedures
6.3 Device Security
Use password-protected devices
Keep operating systems updated
Use anti-malware software
Encrypt mobile devices accessing the platform
Implement remote wipe capabilities for lost devices

7. USER RESPONSIBILITIES
7.1 Healthcare Providers
Verify patient identity before sending messages
Maintain accurate patient contact information
Train staff on proper platform use
Monitor message delivery and opt-out requests
Maintain documentation of consent
Respond to patient inquiries promptly
Report issues or suspected violations
7.2 Practice Administrators
Manage user accounts and permissions
Conduct regular compliance audits
Ensure staff training is current
Review and approve message templates
Monitor usage patterns for anomalies
Maintain Business Associate Agreements
7.3 Staff Members
Follow organizational policies and procedures
Complete required training
Report security incidents immediately
Use the platform only for authorized purposes
Protect patient privacy at all times
7.4 Patients
Provide accurate contact information
Update preferences when needed
Report issues or unwanted messages
Use STOP to opt out if desired
Not use SMS for emergencies

8. MONITORING & ENFORCEMENT
8.1 Monitoring
Referral Conduit reserves the right to:
Monitor platform usage for compliance
Review message content for policy violations
Audit consent and opt-out processes
Investigate complaints or suspicious activity
Analyze usage patterns and metrics
Conduct security assessments
8.2 Violations & Consequences
Violations of this AUP may result in:
First Offense: Warning and corrective action plan
Second Offense: Temporary suspension (7-30 days)
Serious Violations: Immediate account termination
Illegal Activity: Referral to law enforcement
Civil Liability: User assumes all legal responsibility
8.3 Examples of Serious Violations (Immediate Termination)
HIPAA violations causing patient harm
Fraudulent activity or identity theft
Intentional data breaches
Spam or mass unauthorized messaging
Repeated consent violations after warnings
Criminal activity

9. REPORTING VIOLATIONS
9.1 How to Report
Report violations or concerns to:
Email: support@referralconduit.com
Phone: 904-571-3913
Emergency Security Issues: support@referralconduit.com
9.2 What to Report
Suspected HIPAA violations
Unauthorized access or data breaches
Platform abuse or misuse
Spam or unwanted messages
Security vulnerabilities
Privacy concerns
9.3 Investigation Process
Reports are reviewed within 24-48 hours
Serious violations investigated immediately
Users notified of investigation when appropriate
Corrective actions implemented as needed
Documentation maintained for compliance

10. THIRD-PARTY SERVICES
10.1 Integrations
Users are responsible for third-party integrations (EHRs, PMSs)
Third-party services must comply with this AUP
Referral Conduit is not responsible for third-party violations
Users must maintain appropriate agreements with third parties
10.2 Subprocessors
Referral Conduit uses the following subprocessors:
Twilio (SMS delivery)
[Cloud hosting provider]
[Any other key service providers]
All subprocessors have signed BAAs and comply with HIPAA.

11. INDEMNIFICATION
Users agree to indemnify and hold harmless Referral Conduit from:
Violations of this AUP
Misuse of the platform
Unauthorized disclosure of patient information
Legal claims arising from user actions
Regulatory penalties due to user non-compliance
Third-party claims related to user content or actions

12. CHANGES TO THIS POLICY
Referral Conduit may update this AUP at any time. Changes will be posted at referralconduit.com/aup with an updated "Last Updated" date. Continued use after changes constitutes acceptance.
Material changes will be communicated via email or platform notification 30 days in advance when possible.

13. QUESTIONS & CONTACT
For AUP Questions:
 Email: support@referralconduit.com
 Phone: 9045713913
For Security Issues:
 Email:support@referralconduit.com
For Privacy Concerns:
 Email: support@referralconduit.com
Mailing Address:
 Referral Conduit, LLC
333 Crockett Blvd #540671
Merritt Island, FL 32953

14. ACKNOWLEDGMENT
By using Referral Conduit services, you acknowledge that you have read, understood, and agree to comply with this Acceptable Use Policy. You also acknowledge that violations may result in service suspension or termination and potential legal consequences.

15. INTEGRATION WITH OTHER AGREEMENTS
This AUP is incorporated into and part of:
Terms of Service
Business Associate Agreement (if applicable)
Customer Agreement
Privacy Policy
In case of conflict, the most restrictive provision applies to ensure maximum compliance and protection.

END OF ACCEPTABLE USE POLICY
This policy complies with HIPAA, TCPA, CTIA guidelines, and applicable federal and state regulations governing healthcare communications and SMS messaging.