Terms & Conditions

1. Acceptance of Terms

By accessing the HealthClaw Guardrails website, demo application, or software (collectively, the "Service"), you agree to be bound by these Terms & Conditions ("Terms"). If you do not agree, do not use the Service.

These Terms apply to all users including developers, researchers, healthcare organizations, and visitors to the public demo. Organizations using this software in production environments should ensure these Terms are reviewed by qualified legal counsel.

2. Description of Service

HealthClaw Guardrails is an open-source reference implementation of security and compliance patterns for AI agent access to FHIR health data via the Model Context Protocol (MCP). The Service includes:

• A Flask-based FHIR guardrail proxy (PHI redaction, audit trail, step-up authorization, tenant isolation)
• A Node.js MCP server exposing 12 FHIR-aware tools to AI agents
• Curatr — a patient-facing data quality evaluation engine
• Fasten Connect integration for patient-authorized FHIR data import
• A public demo environment at healthclaw.io (no guarantees of availability or data persistence)
• Documentation, wiki, and technical guides

The Service is a developer tool and pattern library. It is not a production-ready, fully validated clinical system.

3. Acceptable Use

You agree not to use the Service to:

• Submit real patient data (PHI/PII) to the public demo environment
• Attempt to circumvent guardrails, tenant isolation, or security controls
• Conduct denial-of-service attacks, scraping, or automated abuse of the demo endpoints
• Impersonate another user, organization, or tenant
• Use the Service in a production clinical environment without independent security validation, legal review, and applicable regulatory compliance (see Section 5)
• Redistribute the software under a license incompatible with the MIT License
• Use the Service for any unlawful purpose or in violation of any applicable law

4. No Medical Advice

Medical disclaimers are automatically injected into all clinical resource reads by the guardrail stack. This is a technical safeguard and does not create a professional relationship of any kind.

Curatr data quality evaluations (code validation, missing field checks) are informational only. Suggested fixes require patient review and, where clinically significant, provider confirmation before any action should be taken.

5. HIPAA & Regulatory Compliance

HealthClaw Guardrails is a software tool. It is not a HIPAA covered entity or business associate by virtue of its existence as open-source software.

If you are a covered entity or business associate under HIPAA and you deploy this software to process, store, or transmit electronic protected health information (ePHI):

• You are responsible for your own HIPAA compliance, including conducting a risk assessment
• You must execute appropriate Business Associate Agreements with all subprocessors
• You must validate that the software's security controls meet your organization's requirements
• You must satisfy all applicable state and federal health data privacy laws
• The built-in guardrails (PHI redaction, audit trail, step-up auth) are reference patterns, not a complete HIPAA compliance solution

Similar obligations apply under other frameworks: GDPR Article 9 (health data), CCPA, HITECH, state breach notification laws, and applicable international regulations. Consult qualified legal counsel before processing patient data.

6. Open Source License

HealthClaw Guardrails is released under the MIT License. You are free to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the software, subject to the conditions of the MIT License included in the repository.

The MIT License does not grant rights to the HealthClaw or healthclaw.io trademarks, logos, or brand identity. Use of HealthClaw branding requires separate written permission.

7. Disclaimer of Warranties

THE SERVICE IS PROVIDED "AS IS" AND "AS AVAILABLE" WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, ACCURACY, COMPLETENESS, OR UNINTERRUPTED AVAILABILITY.

We do not warrant that the Service will be error-free, that defects will be corrected, or that the Service is free of viruses or other harmful components. We do not warrant the accuracy of FHIR validation results, terminology lookups, or Curatr code evaluations.

8. Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, HEALTHCLAW.IO AND ITS CONTRIBUTORS SHALL NOT BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, PUNITIVE, OR EXEMPLARY DAMAGES, INCLUDING BUT NOT LIMITED TO:

• Loss of data, revenue, profits, or business
• Unauthorized access to or alteration of health records
• Clinical decisions made in reliance on software output
• Regulatory penalties or enforcement actions arising from your use of the Service
• Patient harm resulting from software malfunction or misconfiguration

IN JURISDICTIONS THAT DO NOT ALLOW EXCLUSION OF CERTAIN WARRANTIES OR LIMITATIONS OF LIABILITY, OUR LIABILITY IS LIMITED TO THE MAXIMUM EXTENT PERMITTED BY LAW.

9. Indemnification

You agree to indemnify, defend, and hold harmless healthclaw.io and its contributors from and against any claims, liabilities, damages, losses, and expenses (including reasonable attorneys' fees) arising out of or related to:

• Your use of the Service or violation of these Terms
• Your deployment of the software in a clinical or production environment
• Any PHI you process using the Service
• Your failure to comply with applicable healthcare regulations

10. Third-Party Services

The Service may integrate with or link to third-party services including FHIR servers, NLM APIs, HL7 terminology servers, Fasten Health, and GitHub. These services are governed by their own terms and privacy policies. We are not responsible for the availability, accuracy, or conduct of third-party services.

When connecting to upstream FHIR servers (HAPI, Epic, SMART Health IT, etc.), you are subject to those servers' terms of service. Do not use sandbox credentials in production environments.

11. Intellectual Property

The HealthClaw Guardrails software source code is MIT-licensed (see Section 6). Documentation, website content, and marketing materials are copyright healthclaw.io. FHIR® is a registered trademark of HL7. US Core and other implementation guides are published by HL7 under their own licenses. This software is not endorsed by HL7, Epic, or any FHIR server vendor.

12. Termination

We reserve the right to suspend or terminate access to the public demo environment at any time, with or without notice, for any reason including but not limited to abuse, excessive usage, or violation of these Terms. Sections 4, 5, 7, 8, 9, and 13 survive termination.

13. Governing Law

These Terms are governed by and construed in accordance with the laws of the United States. Any disputes arising under these Terms shall be resolved through good-faith negotiation first. If unresolved, disputes shall be submitted to binding arbitration or the courts of competent jurisdiction. You waive any right to participate in class-action proceedings related to the Service.

14. Changes to These Terms

We reserve the right to modify these Terms at any time. Material changes will be noted in the project release notes and this page will reflect the updated effective date. Continued use of the Service after changes constitutes acceptance of the revised Terms.

15. Contact

Legal questions: legal@healthclaw.io
Privacy inquiries: privacy@healthclaw.io
Security disclosures: security@healthclaw.io
GitHub: aks129/HealthClawGuardrails