MyRxWallet uses artificial intelligence as a tool to assist — never to replace — clinical judgment. We operate under a strict PHI Zero-Touch policy for all AI systems. Every AI interaction is logged, auditable, and governed by a human-in-the-loop requirement. We publish this document proactively because we believe transparency is not a compliance burden — it is a founding principle.
This policy applies to all AI-assisted features deployed within the MyRxWallet platform, including the MyRx AI Assistant available to authorized providers. It governs what AI systems are used, what they can and cannot access, how they are classified under federal and state law, and what rights patients and providers have with respect to AI-generated outputs.
This document is intended for: patients, healthcare providers, compliance officers, federal and state regulators, ONC auditors, HHS OCR investigators, CMS contractors, FDA reviewers, malpractice counsel, investors, and the general public.
| AI Engine | Claude by Anthropic PBC (claude.ai API) |
| Deployment Mode | API call — no persistent memory, no model training on user data |
| Access Level | Authorized providers only — requires authenticated session |
| PHI Access | NONE — hard-blocked by system prompt and architecture |
| FDA Classification | Qualifying CDS — non-device under 21st Century Cures Act §3024 |
| BAA Status | Anthropic BAA in place for HIPAA covered entity usage |
| Data Retention | No conversation data retained by Anthropic beyond current session |
No other AI systems are currently deployed on the MyRxWallet platform. Any future AI systems will be added to this document prior to production deployment and disclosed to affected parties per HIPAA §164.520 requirements.
The MyRx AI Assistant operates in a completely isolated context. It has no connection to patient records, EHR data, NFT health tokens, Hyperledger health channels, or any database containing Protected Health Information. This is enforced at the architecture level — not merely by policy instruction.
The following data elements are never transmitted to any AI system under any circumstances:
| PHI Category | HIPAA Identifier | AI Access |
|---|---|---|
| Patient name | §164.514(b)(2)(i) | BLOCKED |
| Date of birth / age over 89 | §164.514(b)(2)(ii-iii) | BLOCKED |
| Geographic identifiers | §164.514(b)(2)(i) | BLOCKED |
| Medical record number (MRN) | §164.514(b)(2)(i) | BLOCKED |
| Health plan / insurance numbers | §164.514(b)(2)(i) | BLOCKED |
| Account / NFT token numbers | §164.514(b)(2)(i) | BLOCKED |
| Biometric identifiers | §164.514(b)(2)(i) | BLOCKED |
| Clinical notes, diagnoses, labs | §164.501 PHI definition | BLOCKED |
| Device / IP identifiers | §164.514(b)(2)(i) | BLOCKED |
| Agency / Law | Requirement | How We Comply | Status |
|---|---|---|---|
| HHS OCR — HIPAA Privacy Rule 45 CFR §164 |
PHI protection, minimum necessary use, BAA for AI vendors | PHI Zero-Touch policy + Anthropic BAA executed + audit log of all AI interactions | ✓ COMPLIANT |
| HHS ONC — 21st Cures Act §3024 CDS Exemption |
AI CDS must display basis for recommendation; provider must be able to independently verify; not for rare diseases requiring specialist knowledge | AI displays full reasoning with every response; provider override always required; no rare disease autonomous diagnosis | ✓ COMPLIANT |
| FDA — Software as Medical Device 21 CFR Part 820 / SaMD |
Qualifying CDS exemption: not image/signal acquisition; shows reasoning; provider can independently review; not for rare conditions | MyRx AI is text-based reference only; all four qualifying CDS criteria met; classified as non-device | ✓ NON-DEVICE |
| FTC — Section 5 Unfair/Deceptive AI Practices |
AI must identify itself; no impersonation of human clinician; no deceptive AI outputs | Mandatory AI disclosure banner on every session; "MyRx AI" branding always visible; responses carry disclaimer | ✓ COMPLIANT |
| CMS — Billing & Coding 42 CFR |
AI cannot generate final billing codes; provider attestation required | AI provides coding guidance only; all codes require provider confirmation before submission | ✓ COMPLIANT |
| HITECH Act 42 U.S.C. §17931 |
Audit controls, access logs, breach notification | All AI sessions logged with timestamp, user ID, session hash; no PHI in logs | ✓ COMPLIANT |
| Joint Commission NPSG / IM Standards |
Documentation of AI tools used in clinical settings; traceability | This policy document + audit log constitutes required documentation | ✓ DOCUMENTED |
Under the 21st Century Cures Act §3024 and FDA's final guidance on Clinical Decision Support Software (September 2022), software qualifies for the non-device CDS exemption if it meets all four criteria:
| # | Criterion | MyRx AI Status |
|---|---|---|
| 01 | Not intended to acquire, process, or analyze medical images, signals from in vitro diagnostics, or patterns from signals | ✓ MET — Text-based only. No imaging, no signal processing. |
| 02 | Intended to display, analyze, or print medical information generally not specific to an individual patient | ✓ MET — General clinical reference only. No patient-specific data. |
| 03 | Intended for the purpose of supporting or providing recommendations to a health care professional about prevention, diagnosis, or treatment | ✓ MET — Recommendations only. Provider must independently review and confirm. |
| 04 | Intended to enable such health care professional to independently review the basis for such recommendations | ✓ MET — All AI responses display full reasoning, sources cited, provider override mandatory. |
MyRx AI Assistant is classified as a Qualifying Clinical Decision Support tool — NOT a medical device — under 21 U.S.C. §360j(o). No FDA 510(k) clearance or PMA is required for current functionality. This classification is reviewed at every product update.
MyRxWallet is an ONC-certified EHR under criterion §170.315(g)(10). Our AI governance policy aligns with the ONC's stated expectations for AI transparency under the HTI-1 Final Rule (January 2024) and the forthcoming HTI-2 proposed rule.
No AI-generated output on the MyRxWallet platform may be acted upon without independent review and confirmation by a licensed healthcare professional. This requirement is enforced by platform design, provider training, and terms of service.
Every AI-generated response carries the following mandatory disclosure:
"This response is generated by an AI assistant and is for informational purposes only. It does not constitute medical advice, a clinical diagnosis, or a treatment recommendation. All clinical decisions require independent review and judgment by a licensed healthcare professional. MyRxWallet AI does not have access to patient records."
This disclaimer appears on every AI response, cannot be disabled by any user, and is logged as part of the interaction audit record.
Patients receiving care through providers using the MyRxWallet platform have the following rights with respect to AI:
All AI interactions on the MyRxWallet platform are logged in compliance with HIPAA §164.312(b) audit control requirements and HITECH enhanced enforcement provisions.
| Log Field | What Is Captured | PHI? |
|---|---|---|
| Session timestamp | UTC datetime of AI session initiation and termination | NO PHI |
| User identifier | Provider user ID (hashed) — no name or credentials stored | NO PHI |
| Session hash | SHA-256 hash of session for integrity verification | NO PHI |
| Query category | Topic category (drug reference, ICD lookup, etc.) — no verbatim content | NO PHI |
| Disclaimer acknowledged | Boolean — provider acknowledged AI disclaimer | NO PHI |
| Retention period | 6 years per HIPAA §164.530(j) — stored encrypted on Hyperledger audit channel | NO PHI |
Audit logs are stored on the MyRx-Chain compliance channel (Hyperledger Fabric 2.5 LTS), providing an immutable, cryptographically verifiable record of all AI interactions. Logs are available to authorized compliance officers, OCR investigators under valid legal process, and the affected provider upon written request.
| State / Law | Requirement | Status |
|---|---|---|
| California — AB 2013 (2024) AI Transparency in Healthcare | Healthcare AI systems must publish training data sources, limitations, and intended use | ✓ PUBLISHED |
| California — CMIA Confidentiality of Medical Information Act | Medical information cannot be shared with AI without explicit authorization | ✓ PHI ZERO-TOUCH |
| Texas — THIPA Texas Health Information Privacy Act | AI processing of health data requires consent and disclosure | ✓ DISCLOSED |
| New York — SHIELD Act Stop Hacks and Improve Electronic Data Security | Reasonable safeguards for private information including health data | ✓ COMPLIANT |
| Nevada — SB 370 Consumer Health Data Privacy | Health data privacy protections beyond HIPAA | ✓ COMPLIANT |
| All other states | HIPAA minimum standards as floor; state-specific laws reviewed quarterly | ✓ HIPAA FLOOR |
MyRxWallet treats all AI vendors as Business Associates under HIPAA §164.502(e) regardless of whether PHI is actually transmitted, as a conservative compliance posture.
This policy is owned by the Compliance & Legal function of MyRxWallet North America Corporation. The Founder/CEO holds final authority over all AI governance decisions.
Review cycle: Every 6 months or within 30 days of any material change to AI systems, applicable law, or regulatory guidance.
Compliance inquiries:
compliance@myrxwallet.io
Privacy / HIPAA:
privacy@myrxwallet.io
Phone: 702.546.8686
Address: Wyoming, United States
Authorized federal and state regulatory investigators with valid legal process may request full AI audit logs, system documentation, and vendor agreements by contacting compliance@myrxwallet.io. We cooperate fully with HHS OCR, ONC, FDA, FTC, CMS, and state health departments.