Acceptable Use Policy
Effective Date: January 15, 2026 Last Updated: January 15, 2026
This Acceptable Use Policy ("AUP") governs your use of the FHIRfly API platform and related services (the "Service") provided by FHIRfly.io LLC ("FHIRfly," "we," "us," or "our").
This AUP is incorporated into our Terms of Service. Violation of this AUP may result in suspension or termination of your account.
1. General Principles
You agree to use the Service:
- In compliance with all applicable laws and regulations
- In a manner that does not harm FHIRfly, other users, or third parties
- Responsibly and ethically
- In accordance with your subscription plan's terms and limits
2. Prohibited Uses
2.1 Illegal Activities
You may not use the Service to:
- Violate any local, state, national, or international law
- Facilitate or promote illegal activities
- Engage in fraud, money laundering, or financial crimes
- Violate export control or sanctions regulations
2.2 Harmful Content and Activities
You may not use the Service to:
- Distribute malware, viruses, or malicious code
- Engage in phishing, social engineering, or identity theft
- Harass, threaten, or harm individuals or groups
- Distribute spam or unsolicited communications
- Promote violence, discrimination, or hate speech
2.3 Unauthorized Access
You may not:
- Access accounts, systems, or data without authorization
- Attempt to bypass authentication or security mechanisms
- Probe, scan, or test the vulnerability of our systems
- Attempt to gain access to other users' accounts or data
- Reverse engineer, decompile, or disassemble the Service
2.4 Service Abuse
You may not:
- Exceed your plan's rate limits or monthly quotas
- Attempt to circumvent rate limiting mechanisms
- Create multiple accounts to avoid limits or enforcement
- Share credentials with unauthorized parties
- Resell or redistribute access to the Service without authorization
- Use automated systems to create accounts
2.5 Data Extraction Restrictions
You may not:
- Systematically download or scrape data to reconstruct a competing database
- Bulk download data beyond what is reasonable for your plan's intended use
- Cache API responses for longer than 24 hours without prior authorization
- Mirror, republish, or redistribute the underlying datasets
- Use the Service primarily to extract and store data rather than for active application use
3. API Usage Requirements
3.1 Rate Limit Compliance
You must respect the rate limits and quotas associated with your subscription plan. Current limits are published on our Pricing page and in our Rate Limits documentation.
Consistently exceeding these limits may result in temporary throttling or account suspension.
3.2 Request Patterns
You agree to implement reasonable request patterns:
- Backoff: Implement exponential backoff when receiving rate limit responses (429)
- Caching: Cache responses appropriately to reduce redundant requests
- Batching: Use batch endpoints when looking up multiple codes
- Error handling: Handle errors gracefully without aggressive retries
3.3 Credential Security
You are responsible for:
- Keeping API keys and OAuth secrets confidential
- Not embedding credentials in client-side code or public repositories
- Rotating credentials if compromise is suspected
- Using appropriate credential types (Simple vs. Secure) for your use case
4. Data Usage
4.1 Permitted Uses
The reference data provided through our APIs may be used for:
- Healthcare software development and integration
- Research and analysis
- Educational purposes
- Internal business applications
- Commercial products and services (subject to your plan)
4.2 Attribution
When publicly displaying data obtained through FHIRfly, you should acknowledge the original data sources. See our Data Sources & Attribution page for specific requirements.
4.3 Data Accuracy
You acknowledge that:
- Reference data may contain errors or become outdated
- You should not rely solely on FHIRfly data for critical decisions
- Medical decisions should always involve qualified healthcare professionals
- You are responsible for validating data for your specific use case
5. Healthcare Compliance and PHI Prohibition
5.1 No PHI Through FHIRfly
This is a critical requirement. The Service is not designed, intended, or authorized for the storage, processing, or transmission of Protected Health Information (PHI) as defined under HIPAA. You must not submit, transmit, or store any PHI through the Service, including in:
- API request URLs or query parameters
- Request headers
- Request bodies
- Any other form of communication with the Service
5.2 Prohibited Data Types
You must not submit the following through the Service:
- Patient names or identifiers
- Medical record numbers
- Social Security numbers
- Dates of birth combined with health information
- Geographic data smaller than a state
- Telephone numbers, fax numbers, email addresses of patients
- Any other individually identifiable health information as defined by HIPAA
5.3 No Business Associate Agreement
FHIRfly does not offer a Business Associate Agreement (BAA). We are not a HIPAA-covered entity or business associate with respect to the Service.
5.4 Your Compliance Responsibilities
If you use FHIRfly in a healthcare application:
- You are solely responsible for your own HIPAA compliance
- You must implement appropriate safeguards for any PHI in your application
- Your use of reference data from FHIRfly does not create a business associate relationship
- You must ensure your systems do not inadvertently send PHI to FHIRfly
5.5 Consequences of PHI Submission
If we detect or reasonably believe that PHI has been submitted to the Service, we may:
- Delete the data without notice
- Suspend or terminate your account
- Take any other action necessary to protect the Service
6. Intellectual Property
6.1 Respect for Rights
You may not use the Service to infringe on intellectual property rights, including:
- Copyrights
- Trademarks
- Patents
- Trade secrets
6.2 FHIRfly Branding
Allowed without permission:
- Accurately state in text that your application "uses FHIRfly APIs" or "integrates with FHIRfly"
- Link to fhirfly.io from your documentation or website
- Mention FHIRfly in technical documentation describing your integration
Requires written permission:
- Using the FHIRfly logo in your application, website, or marketing materials
- Displaying "Powered by FHIRfly" badges or similar
- Any use that could imply endorsement or partnership
Prohibited:
- Using FHIRfly's name, logo, or branding to imply endorsement we have not given
- Misrepresenting your relationship with FHIRfly
- Creating confusion about the source of your products or services
- Using our branding in a way that disparages FHIRfly or our Service
To request permission for branding use, contact admin@fhirfly.io.
7. System Integrity
7.1 No Interference
You may not interfere with the Service's operation:
- Overloading servers or infrastructure
- Disrupting service for other users
- Introducing malicious code or data
- Attempting denial-of-service attacks
7.2 Responsible Disclosure
If you discover a security vulnerability:
- Report it to admin@fhirfly.io immediately
- Do not exploit the vulnerability
- Do not disclose publicly until we have addressed it
- We appreciate responsible security research
8. Monitoring and Enforcement
8.1 Monitoring
We may monitor usage to:
- Ensure compliance with this AUP
- Detect and prevent abuse
- Maintain service quality
- Improve the Service
8.2 Investigation
We may investigate suspected violations by:
- Reviewing usage logs and patterns
- Contacting you for clarification
- Working with law enforcement if required
8.3 Enforcement Actions
For violations of this AUP, we may:
| Severity | Possible Actions |
|---|---|
| Minor | Warning, temporary rate limit reduction |
| Moderate | Temporary suspension, required remediation |
| Severe | Immediate termination, permanent ban |
| Criminal | Report to law enforcement |
We aim to provide notice before taking enforcement action, except in cases requiring immediate response.
9. Reporting Violations
If you become aware of violations of this AUP, please report them to:
- Email: admin@fhirfly.io
- Subject: "AUP Violation Report"
Include as much detail as possible to help us investigate.
10. Changes to This Policy
We may update this AUP to address new threats, clarify requirements, or reflect service changes. Material changes will be communicated through:
- Updates to this page
- Email notification for significant changes
- Dashboard announcements
11. Contact Us
For questions about this Acceptable Use Policy, contact us:
FHIRfly.io LLC Email: admin@fhirfly.io Phone: (816) 552-2628 Address: 30 N Gould St, Ste 60120, Sheridan, WY 82801