Who this covers
This Acceptable Use Policy (the “Policy”) governs all access to and use of the neolife platform, including our web application, dashboards, APIs, and the Model Context Protocol (MCP) interface. It applies to the clinics and pharmacies that contract with us, the licensed providers who approve orders, the operations and support staff who act on a customer’s behalf, and any software agent, script, or automated system that authenticates with our services using your credentials.
You are responsible for the conduct of everyone and everything operating under your account. If an automated agent submits an order through your MCP connection, that order is your responsibility exactly as if a person on your staff had typed it. This Policy is part of, and supplements, your agreement with neolife. Where a term is defined in that agreement, it carries the same meaning here.
The core principle
neolife exists to move legitimate, clinically appropriate, lawfully authorized orders from a clinic to its pharmacy quickly — and to keep an unbroken record of who did what at every step. Every use of the platform must be consistent with that purpose. If a use would undermine patient safety, defeat a clinical or legal safeguard, or misrepresent what actually happened to an order, it is prohibited, whether or not it appears on the list below.
Prohibited uses
You may not use the platform, and you must not permit anyone using your account to use it, to:
- Break the law. Engage in any activity that violates applicable federal or state law, pharmacy or medical board regulation, the Federal Food, Drug, and Cosmetic Act, the Drug Supply Chain Security Act, or any rule governing telehealth, prescribing, or compounded preparations in the jurisdiction where the patient is located.
- Submit an order without valid provider authorization. Transmit any prescription order that has not been ordered and approved by a provider who holds a current, unrestricted license in the patient’s state and who has established a legitimate practitioner-patient relationship as required by law.
- Prescribe outside your scope or licensure. Authorize medications outside the bounds of your license, training, specialty privileges, collaborative-practice agreement, or the states in which you are authorized to practice and to prescribe.
- Submit fraudulent or fabricated orders. Create test, duplicate, ghost, or fictitious orders against real patient records; impersonate a patient or provider; falsify identity, insurance, or payment information; or submit orders intended to generate improper reimbursement, rebates, or kickbacks.
- Misuse protected health information. Access, use, or disclose patient data for any purpose other than treatment, payment, or the health-care operations the order requires — and never for marketing, resale, profiling, training of models you do not control, or personal curiosity.
- Divert or stockpile. Place orders for resale, redistribution, personal supply, or any purpose other than dispensing to the named patient under a valid prescription.
- Circumvent the provider-approval gate. Attempt to auto-approve, bulk- approve without review, spoof an approval, share or delegate approval credentials, or otherwise cause an order to reach the pharmacy without a licensed provider having actually reviewed and approved it. This is the most serious prohibition in this Policy. See below.
- Mislead patients. Represent a compounded preparation as an FDA-approved product. Compounded medications are prepared by a licensed compounding pharmacy and are not reviewed or approved by the FDA for safety or efficacy; any patient- facing description must say so.
- Interfere with others. Disrupt, degrade, or overload the platform, or interfere with another customer’s access, orders, or data.
The provider-approval gate
A licensed provider approves every order. Always. That single tap is the safety mechanism the entire rail is built around, and protecting its integrity is a condition of using neolife.
You must not, by any means, technical or procedural:
- configure or operate any system that marks orders as approved without a human, licensed provider exercising independent clinical judgment on each one;
- route approval prompts to anyone who is not a provider authorized to approve that order;
- pre-sign, batch-rubber-stamp, or script approvals so that review does not actually occur;
- share, sell, or reuse a provider’s authentication factors, or approve under another provider’s identity; or
- alter, replay, or forge the approval record after the fact.
AI may draft an order. A provider — a person — decides. Any attempt to collapse that distinction is a material breach and grounds for immediate termination.
Controlled substances
Orders involving controlled substances carry additional legal duties, and you bear them. You must comply with the Controlled Substances Act, DEA registration and prescribing rules, the Ryan Haight Act and its telemedicine requirements, and every applicable state controlled-substance law, including state prescription-drug-monitoring-program checks where required.
You may not use the platform to prescribe or dispense a controlled substance without a valid DEA registration and a lawful basis for the order, to evade quantity or refill limits, to facilitate doctor-shopping or diversion, or to obscure the true prescriber, patient, or quantity. neolife may decline to transmit, may hold, and may report orders that show signs of controlled-substance misuse.
Handling PHI and patient data
The platform processes protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA). Our handling of PHI is governed by the Business Associate Agreement between neolife and your organization. You agree to use the platform consistent with that agreement and with the minimum-necessary standard: request, view, and transmit only the PHI an order genuinely requires.
You must not export, copy, or retain PHI from the platform except as your treatment, payment, and operations purposes require and your records-retention obligations permit. You must not feed PHI obtained through neolife into third-party tools, analytics, advertising pixels, or model-training pipelines that lack a lawful basis and appropriate safeguards, consistent with the HHS Office for Civil Rights guidance on online tracking technologies.
Accuracy of what you submit
Pharmacies fill what you send. Patient identity, allergies, medication, strength, dose, quantity, directions, shipping address, and prescriber details must be accurate, current, and complete at the moment you submit. You are responsible for verifying that any data captured by chat, upload, or a connected source — and any draft prepared by our AI — is correct before a provider approves it.
Do not submit knowingly false, speculative, or placeholder data into a live order. If you discover an error after submission, you must use the platform’s correction or cancellation tools immediately and, where a dispensed medication is affected, follow your own clinical and pharmacy escalation procedures.
Security rules
You must not, and must not allow anyone to:
- probe, scan, or test the vulnerability of the platform, or breach or circumvent any authentication, authorization, or rate-limiting control, without our prior written authorization;
- scrape, harvest, crawl, or systematically extract data, content, or PHI from the platform;
- reverse engineer, decompile, or disassemble the platform, or attempt to derive source code, models, or non-public APIs, except to the extent that restriction is prohibited by law;
- introduce malware, attempt to gain unauthorized access to accounts, systems, or data, or escalate privileges beyond what your role grants;
- share credentials, leave sessions unattended on shared devices, or fail to revoke access for departed staff promptly; or
- use the platform to store or transmit anything unlawful, infringing, or unrelated to legitimate order fulfillment.
If you discover a security vulnerability, report it to us responsibly rather than exploiting it — see Reporting abuse below.
API and MCP fair use
neolife is agent-accessible: clinics and their authorized systems can submit and track orders programmatically through our API and our Model Context Protocol (MCP) interface. Programmatic access is a privilege, and the rules above apply in full — an order placed by an agent is held to the same standard as one placed by hand, including the provider-approval requirement.
Fair use of the API and MCP interface means:
- staying within the rate limits, quotas, and concurrency caps documented for your plan, and not engineering around them with rotated keys or distributed traffic;
- identifying your integration honestly and keeping API keys and MCP tokens confidential, scoped, and rotated on a sensible schedule;
- retrying failed requests with exponential backoff rather than hammering an endpoint, and honoring our retry and pagination headers;
- not using the API or MCP interface to build a competing order-routing service, to mirror our catalog or order data, or to resell access; and
- ensuring any AI agent acting through MCP is constrained so that it cannot itself approve an order, and that a licensed provider remains the approver.
We may throttle, suspend, or revoke programmatic access that exceeds these limits, threatens platform stability, or shows signs of automated abuse, with or without notice depending on severity.
Your data-protection obligations
You are responsible for protecting the data you handle on the platform, both as a HIPAA covered entity or business associate and, where applicable, under the EU and UK General Data Protection Regulation and US state privacy laws. At a minimum you must:
- maintain reasonable administrative, physical, and technical safeguards appropriate to PHI, including access controls, unique user accounts, and audit logging on your side;
- ensure you have a lawful basis and any required patient authorization before transmitting data through the platform;
- provision and de-provision your users on a least-privilege basis and review access periodically;
- report any suspected breach involving data you process through neolife to us without undue delay so the parties can meet their notification duties; and
- cooperate with reasonable security and compliance requests, including audits contemplated by the Business Associate Agreement.
Enforcement and suspension
We would rather warn you than cut you off — but patient safety and legal compliance come first, and some violations leave no room for a warning. Depending on the nature and severity of a violation, neolife may, at its discretion and consistent with your agreement:
- contact you to investigate and request that you remediate;
- throttle or limit specific features, endpoints, or order types;
- hold, decline to transmit, or reverse specific orders;
- suspend an individual user, an integration, or your account;
- preserve and disclose records as required to protect patients, comply with law, or respond to lawful requests from regulators, boards, or law enforcement; and
- terminate your access for material or repeated violations.
Where safety, security, or the integrity of the provider-approval gate is at stake — or where a controlled-substance or fraud concern arises — we may act immediately and investigate afterward. We will give notice where it is practical and lawful to do so. Enforcement under this Policy is in addition to any remedy available under your agreement or at law.
Reporting abuse
If you see misuse of the platform, a suspected fraudulent or unauthorized order, a compromised account, an attempt to bypass provider approval, or a security vulnerability, tell us. Email [email protected] with as much detail as you can safely share — but do not include unnecessary PHI in your report. For an active patient- safety emergency, follow your own clinical escalation procedures first; reporting to us does not replace them. We investigate every credible report and do not retaliate against good- faith reporters.
Contact
Questions about this Policy can go to [email protected], and privacy questions to [email protected]. This Policy is provided for transparency and may be updated from time to time; we will post the current version here with its effective date.