Run The List

Acceptable Use Policy

Last updated: June 15, 2026

This policy is written for Run The List's HIPAA-oriented clinical workflow. It should be reviewed by qualified legal counsel and aligned with each customer organization's internal policies before production use.

1. Purpose

Run The List is designed to support service lists, patient handoffs, task tracking, print lists, and related clinical, educational, administrative, billing, compliance, support, and operational workflows.

Users must use Run The List only for authorized purposes and only in a manner consistent with:

The user's assigned role and service access.
The customer organization's policies and procedures.
Applicable laws and regulations.
The Terms of Service, Privacy Policy, Business Associate Agreement, and other applicable agreements.

2. Scope

This policy applies to all access to Run The List, including:

Production workspaces.
Demo, trial, or limited setup workspaces.
Organization settings and service configuration.
Patient, encounter, handoff, task, custom field, print, billing, compliance, and member management workflows.
Support requests and communications with Run The List.

Customer organizations are responsible for ensuring that their users understand and follow this policy.

3. Authorized Access Only

Users may access only the organizations, services, patients, encounters, lists, notes, tasks, printouts, settings, and information that they are authorized to access for a legitimate work-related purpose.

Users must not:

Access information out of curiosity.
Access information outside their assigned role or service.
Continue accessing information after their role changes or access is no longer needed.
Use another person's account.
Attempt to access another customer organization's workspace or data.
View, edit, print, export, or share information without an authorized purpose.

4. Minimum Necessary Use

When using Run The List for workflows involving protected health information or other sensitive information, users must limit access, use, disclosure, printing, export, and sharing to the minimum necessary for the user's authorized role and task.

Users should not add information to Run The List unless it is needed for an authorized workflow and is permitted by the customer organization's policies.

5. PHI and Patient Information

Users may not enter, view, edit, export, print, download, share, screenshot, transmit, or disclose patient information unless authorized by the customer organization and permitted by applicable law, policy, and agreement.

Trial or demo workspaces must use fictional, synthetic, or de-identified data unless production PHI access has been enabled and any required Business Associate Agreement is active.

6. No PHI in Non-Approved Channels

Users must not send patient names, MRNs, dates of birth, clinical details, screenshots containing PHI, or other patient-identifying information to Run The List through non-approved channels.

Examples of non-approved channels include:

Regular email.
Text messages.
Sales forms and demo request forms.
General support forms.
Payment forms, Stripe billing portal fields, and invoice notes.
Social media or unapproved chat tools.

7. Account and Device Security

Users must protect their accounts and devices used to access Run The List. Users must not:

Share passwords, MFA codes, active sessions, or account access.
Use shared accounts unless expressly authorized in writing and configured by Run The List.
Leave Run The List open on shared or public devices.
Allow another person to use their account.
Attempt to disable, bypass, or weaken authentication controls.

8. Prohibited Technical Activity

Users must not:

Attempt to bypass authentication, authorization, tenant isolation, service assignment controls, rate limits, audit logging, billing controls, or other security controls.
Probe, scan, penetration test, or vulnerability test systems without written authorization.
Upload malicious code, scrape data, reverse engineer the service, overload the platform, or attempt to access another customer's data.

9. Prohibited Content and Conduct

Users must not use Run The List to store, transmit, or facilitate:

Unlawful, harassing, abusive, discriminatory, threatening, defamatory, fraudulent, infringing, or malicious content.
Retaliation against a user who reports a concern.
Impersonation or misrepresentation of identity, credentials, role, or authority.
Activity outside authorized clinical, educational, administrative, billing, compliance, support, or operational workflows.

10. Printing, Screenshots, and Exports

Printed lists, screenshots, exports, copied text, and downloaded information may contain PHI or confidential information. Users are responsible for handling those materials according to the customer organization's confidentiality, device, printer, retention, disposal, and no-photography or screenshot policies.

11. Clinical Use Boundaries

Run The List is a workflow and handoff support tool. It is not:

The legal medical record.
An electronic health record.
A medical device.
An emergency notification system.
A substitute for professional medical judgment.

Users remain responsible for verifying information in appropriate source systems and with appropriate clinical personnel before making clinical, billing, discharge, transfer, or operational decisions.

12. Reporting Security and Access Concerns

Users must promptly report suspected or actual concerns, including:

Unauthorized access, incorrect permissions, accidental disclosures, lost or stolen devices, suspicious activity, account compromise, improper PHI handling, incorrect service access, security vulnerabilities, or use of real PHI in demo-only mode.

Reports should be made to the customer organization's administrator or designated privacy/security contact. Reports to Run The List should avoid PHI unless a secure support channel has been approved.

13. Monitoring and Audit Logs

Run The List and customer organizations may monitor use of the service and review audit logs for security, compliance, support, operations, and misuse investigation. Users should not expect personal privacy in activity performed within an organization workspace, subject to applicable law and organizational policy.

14. Enforcement

Run The List or the customer organization may suspend, restrict, or remove access for suspected misuse, policy violations, unauthorized access, security concerns, nonpayment, legal risk, or activity that may harm Run The List, customers, users, patients, or the service.

15. Relationship to Other Agreements

This policy supplements the Terms of Service, Privacy Policy, HIPAA-safe use requirements, Business Associate Agreement, customer agreement, order form, and customer organization policies. If a signed Business Associate Agreement, customer agreement, or order form conflicts with this policy, the signed agreement controls for that customer relationship to the extent of the conflict.

16. Questions

Questions about this policy may be sent to admin@runthelist.io. Do not include protected health information or patient-identifying information in policy questions or support requests unless Run The List has expressly approved a secure support channel for that purpose.