Privacy Policy

How RehabDox LLC collects, uses, and protects your information.

Effective Date: March 12, 2026  |  Last Updated: March 12, 2026

Introduction

RehabDox LLC ("RehabDox," "we," "us," or "our") is committed to protecting the privacy and security of your personal information. This Privacy Policy describes how we collect, use, disclose, and safeguard information when you visit our website at rehabdox.com or use our cloud-based Electronic Health Record (EHR) platform ("Service").

Our Service is designed for physical therapy practices and handles Protected Health Information (PHI) in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations, including the HITECH Act.

By accessing our website or using our Service, you agree to the terms of this Privacy Policy. If you do not agree, please discontinue use of our website and Service.

Information We Collect

A. Information You Provide Directly

  • Contact Information: Name, email address, phone number, clinic name, and clinic size when you submit our contact form or request a demo.
  • Account Information: Name, email address, professional credentials, and role when you register for the RehabDox platform.
  • Communications: Any messages, feedback, or inquiries you send to us via email or our contact form.

B. Protected Health Information (PHI)

When healthcare providers use our EHR platform, the Service processes PHI on behalf of the healthcare practice ("Covered Entity"). This may include:

  • Patient names, dates of birth, and contact details
  • Medical records, clinical notes, and treatment plans
  • Diagnostic information and progress notes
  • Insurance and billing information
  • Digital signatures and consent records
  • Voice recordings used for AI-assisted clinical documentation

PHI is processed strictly in accordance with Business Associate Agreements (BAAs) executed with each Covered Entity and in compliance with HIPAA regulations.

C. Information Collected Automatically

  • Usage Data: Pages visited, time spent on pages, browser type, device type, and operating system.
  • Log Data: IP address, access times, and referring URLs.
  • Cookies: Small data files stored on your device to improve website functionality (see Cookies section below).

How We Use Your Information

We use the information we collect for the following purposes:

  • Service Delivery: To provide, maintain, and improve our EHR platform and related services.
  • Communication: To respond to your inquiries, send service-related notifications, and provide customer support.
  • Clinical Documentation: To process voice recordings and generate AI-assisted clinical notes as part of the EHR Service.
  • Security & Compliance: To maintain audit logs, detect security threats, and comply with legal and regulatory obligations.
  • Analytics: To understand how our website and Service are used and to improve the user experience.
  • Legal Obligations: To comply with applicable laws, regulations, and legal processes.

HIPAA Compliance & PHI Protection

RehabDox operates as a Business Associate under HIPAA. We take the following measures to protect PHI:

  • Encryption: All PHI is encrypted at rest using AES-256-GCM encryption and in transit using TLS 1.2 or higher.
  • Access Controls: Role-based access control (RBAC) ensures that only authorized personnel can access PHI relevant to their role.
  • Audit Logging: Comprehensive audit trails record all access to and modifications of PHI.
  • Business Associate Agreements: We execute BAAs with all Covered Entities and ensure our subcontractors comply with HIPAA requirements.
  • Breach Notification: In the event of a breach of unsecured PHI, we will notify affected Covered Entities and individuals as required by the HIPAA Breach Notification Rule.
  • Employee Training: All personnel with access to PHI receive regular HIPAA compliance training.

Data Security

We implement industry-standard technical, administrative, and physical safeguards to protect your information, including:

  • End-to-end encryption for data in transit and at rest
  • Regular security assessments and vulnerability testing
  • Multi-factor authentication for platform access
  • Automated session timeout and account lockout policies
  • Secure cloud infrastructure with redundant backups
  • Incident response and disaster recovery procedures

While we strive to protect your information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security but are committed to maintaining the highest standards of data protection.

Information Sharing & Disclosure

We do not sell, rent, or trade your personal information to third parties. We may share information only in the following circumstances:

  • Service Providers: With trusted third-party vendors who assist in operating our Service (e.g., cloud hosting, AI processing), all of whom are bound by confidentiality obligations and, where applicable, BAAs.
  • Legal Requirements: When required by law, regulation, legal process, or governmental request.
  • Protection of Rights: To protect the rights, property, or safety of RehabDox, our users, or the public.
  • Business Transfers: In connection with a merger, acquisition, or sale of assets, in which case your information may be transferred as part of that transaction.
  • With Consent: When you have given explicit consent to share your information.

Cookies & Tracking Technologies

Our website may use the following types of cookies:

  • Essential Cookies: Required for the website to function properly, such as session management and security tokens.
  • Analytics Cookies: Help us understand how visitors interact with our website so we can improve the user experience.
  • Preference Cookies: Remember your settings and preferences for future visits.

You can control cookie preferences through your browser settings. Disabling certain cookies may affect the functionality of our website.

Data Retention

We retain personal information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required by law. Specifically:

  • Website Inquiries: Contact form submissions are retained for as long as needed to respond to and resolve your inquiry.
  • Account Data: Retained for the duration of your active account and as required for legal and compliance purposes.
  • PHI: Retained in accordance with applicable HIPAA regulations, state laws, and the terms of our Business Associate Agreements. Healthcare records are typically retained for a minimum of six (6) years from the date of creation or last effective date, as required by HIPAA.
  • Audit Logs: Maintained for a minimum of six (6) years as required by HIPAA.

Your Rights

Website Visitors

You have the right to:

  • Request access to the personal information we hold about you
  • Request correction of inaccurate personal information
  • Request deletion of your personal information, subject to legal retention requirements
  • Opt out of marketing communications at any time

Patients (PHI Rights under HIPAA)

If you are a patient whose PHI is processed through our platform, your rights regarding your health information are governed by HIPAA and managed by your healthcare provider (the Covered Entity). These rights include:

  • Right to access your health records
  • Right to request amendments to your health records
  • Right to an accounting of disclosures of your PHI
  • Right to request restrictions on certain uses and disclosures
  • Right to receive confidential communications
  • Right to receive notification of a breach of your unsecured PHI

To exercise these rights, please contact your healthcare provider directly. As a Business Associate, RehabDox will assist your provider in fulfilling these requests as required.

Third-Party Services

Our website and Service may contain links to third-party websites or integrate with third-party services. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party services you interact with.

All third-party service providers that process PHI on our behalf are bound by Business Associate Agreements and are required to maintain HIPAA compliance.

Children's Privacy

Our website and marketing services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children through our website. If we become aware that we have collected personal information from a child under 18 without parental consent, we will take steps to delete that information promptly.

Note that our EHR platform may process health records of minor patients as directed by healthcare providers, which is governed by HIPAA, applicable state laws, and the provider's own policies.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the "Last Updated" date at the top of this page and, where appropriate, notify you via email or a prominent notice on our website.

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information.

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

RehabDox LLC

Email: contact@rehabdox.com

Website: rehabdox.com

Questions About Our Privacy Practices?

Our team is here to address any privacy or security concerns you may have.

Contact Us Security Features