Last Revised: 01/01/26
Referralogix (“Referralogix”, “RLX”, “we”, “us”, or “our”) values the privacy of our users and clients. This Privacy Policy explains how we collect, use, disclose, and safeguard information, including protected health information (PHI), and how we comply with healthcare regulatory obligations, including HIPAA.
Table of Contents
1. Information We Collect
2. Use of Information
3. HIPAA and PHI Handling
4. Business Associate Agreement (BAA)
5. Cybersecurity Assurance
6. Data Retention and De-Identified Data
7. Multi-Location Client Assurances
8. Vendor Data Access
9. Security Measures
10. Users’ Rights
11. Changes to This Privacy Policy
12. Contact Us
1. Information We Collect
RLX collects the following information:
Patient Referral Data: Medical documents, referral information, and provider data submitted through our communication platform.
De-Identified Data: Patient identifiers are removed or generalized for analytics and benchmarking.
User Information: Name, email, organization, role, and usage data for operational and marketing purposes.
Vendor Engagement Data: Interaction metrics for marketing spotlights, clicks, and duration on screens. Vendors cannot access PHI unless contractually approved.
2. Use of Information
RLX uses collected information for:
Providing referral communication and operational services to clinics and healthcare organizations.
Operating and improving the platform, including security, troubleshooting, and support.
Marketing, analytics, benchmarking, and aggregated data reporting using de-identified data.
Compliance with regulatory obligations and execution of Business Associate Agreements (BAA).
3. HIPAA and PHI Handling
PHI is handled only within the communication platform, which is HIPAA-compliant.
Marketing services, including the CRM, do not process PHI, even though the CRM is HIPAA-compliant.
RLX executes BAAs with all covered entities.
4. Business Associate Agreement (BAA)
RLX enters into a BAA with covered entities in accordance with HIPAA and HITECH.
5. Cybersecurity Assurance
RLX is approved by a third-party cybersecurity and HIPAA compliance authority, which validates our security and regulatory compliance programs. This approval ensures: Secure platform architecture and tenant isolation Safeguards against unauthorized PHI access Continuous monitoring, risk management, and adherence to HIPAA requirements
6. Data Retention and De-Identified Data
PHI and referral content are retained for operational purposes.
Upon client termination, PHI may be returned or destroyed in accordance with the BAA (fees may apply).
RLX may retain de-identified data for analytics, benchmarking, network intelligence, service deployment, and operational insights. Vendors may access only aggregated, anonymized metrics. RLX does not sell data.
7. Multi-Location Client Assurances
RLX supports multi-location clients with: Centralized and delegated admin controls Reporting across locations and departments Segregation of PHI between locations and clinics
Clients cannot restrict access to vendors or other clinics for their users.
8. Vendor Data Access
Vendors may access aggregated, de-identified activity metrics for marketing purposes, including spotlight clicks, screen duration, and network engagement. Vendors cannot access PHI unless specifically approved by the clinic in the BAA or contract. Vendor spotlights do not influence referral placement, priority, or directory order.
RLX does not sell data.
9. Security Measures
RLX implements administrative, technical, and physical safeguards to protect PHI and other sensitive information, including:
Tenant isolation between clinics, vendors, and marketing services
Employee access controls and audit procedures
Subprocessor agreements ensuring HIPAA compliance
Security practices verified by a third-party cybersecurity authority
10. Users’ Rights
Clients may request access, amendments, or accounting of disclosures of PHI in accordance with HIPAA regulations. Requests are processed per the timelines specified in the BAA.
11. Changes to This Privacy Policy
RLX may update this Privacy Policy to reflect changes in operations, legal requirements, or cybersecurity compliance. Updated policies will be posted on the RLX website, and continued use constitutes acceptance of the updated policy.
12. Contact Us
For questions:
Referralogix (XBD, LLC)
Email: [email protected]