Educational only. Not medical advice. Invite-only research preview.No PHI. Do not share patient names or identifying information (HIPAA).
MytoIntelligence

Legal

HIPAA Policy & No-PHI Notice

Effective: 2026-05-06 · Last updated: 2026-05-06

Do not submit Protected Health Information (PHI) to this platform.

Myto Intelligence is a clinician reference tool. It is not a HIPAA-covered entity, does not act as a HIPAA business associate, and does not have any Business Associate Agreement (BAA) in place. The platform is structurally designed to operate without exchanging PHI. Submitting PHI to the platform is a violation of our Terms of Service and may also violate your obligations under HIPAA, state privacy laws, and institutional policies.

1. What is PHI

Protected Health Information (PHI) is any health information that can be used to identify an individual. Under HIPAA's Safe Harbor standard, the following 18 identifiers, when combined with health information, render that information PHI:

  • · Names
  • · Geographic data smaller than state
  • · Dates (birth, admission, discharge, death)
  • · Telephone numbers
  • · Fax numbers
  • · Email addresses
  • · Social Security numbers
  • · Medical record numbers (MRNs)
  • · Health plan / insurance numbers
  • · Account numbers
  • · Certificate / license numbers
  • · Vehicle identifiers (VINs, license plates)
  • · Device identifiers / serial numbers
  • · Web URLs
  • · IP addresses
  • · Biometric identifiers (fingerprints, voiceprints)
  • · Full-face photographs / comparable images
  • · Any other unique identifying number or code

A combination of even seemingly innocuous details can become PHI when paired with health information about a real individual. When in doubt, abstract.

2. Why we don't accept PHI

Myto Intelligence is built as a clinician reference tool — a structured database of plant-drug pharmacology with an AI-assisted lookup interface. It is the same category of tool as UpToDate, Epocrates, Lexicomp, or Clinical Pharmacology Online. None of these tools accept PHI either, for the same reasons:

  • Reference tools don't need patient identity. Whether a 45-year-old Caucasian female or a 60-year-old Asian male is asking about warfarin and ginkgo, the answer is the same. PHI adds no value to the reference query.
  • PHI elevates regulatory burden without proportional benefit. A platform that handles PHI is a HIPAA business associate or covered entity, with substantial compliance, audit, and BAA obligations. We avoid this overhead by avoiding PHI.
  • PHI risks security exposure. Even with strong controls, the safest data is data we don't have. We architect the system to be structurally incapable of accepting PHI — abstracting your queries before they enter our systems.

3. How to use the platform without PHI

Use abstract clinical scenarios. Examples of acceptable framing:

✓ Acceptable

  • "What plant-drug interactions exist for warfarin?"
  • "Patient on Lipitor asks about red yeast rice — what should I know?"
  • "Common interactions for elderly patients on benzodiazepines"
  • "Asthma patient on prednisone considering licorice — concerns?"

✗ Do not submit

  • Patient names ("John Smith asks about...")
  • Dates of birth ("Born March 15, 1962...")
  • Addresses or specific locations
  • Medical Record Numbers (MRN), insurance IDs, account numbers
  • Biometric data, fingerprints, full-face photographs
  • Any combination of details specific enough to identify a real patient

4. Technical safeguards

The AI agent feature (when active) implements automated PHI detection on inputs and outputs. Common identifying patterns — names paired with health context, date-of-birth-like patterns, MRN-like number sequences, addresses, phone and email patterns — are scanned for and redacted before any storage or external API call. This is a technical backstop, not a substitute for your obligation under Section 3 to abstract your queries.

5. Your responsibilities

As a licensed clinician, you have legal obligations under HIPAA, state privacy laws, and your institution's policies regarding patient data. Submitting PHI to a non-covered entity (such as Myto Intelligence) without an applicable BAA may expose you to:

  • Civil monetary penalties under HIPAA
  • State privacy law liability (e.g., California CMIA)
  • Institutional disciplinary action
  • Professional license review
  • Patient harm and breach-notification consequences

We document the no-PHI policy clearly so you cannot claim uncertainty about what is acceptable. The discipline is yours; the platform is built to make that discipline as easy as possible.

6. If PHI is inadvertently submitted

If you accidentally submit PHI through the platform: (a) delete the conversation immediately using the in-app deletion control; (b) contact us at mytointel@mytointelligence.com to confirm system-side scrubbing; (c) consider whether your own breach-notification obligations under HIPAA, state law, or institutional policy apply.

7. Our HIPAA posture

Myto Intelligence does not seek HIPAA-covered-entity status or business-associate status. We do not pursue HIPAA Business Associate Agreements with sub-processors. This is a deliberate architectural choice consistent with the platform's purpose as a reference tool. If institutional or use-case requirements eventually demand HIPAA-compliant infrastructure, the platform architecture would need substantial revision and is not on the current roadmap.

AboutMedical DisclaimerPrivacy PolicyTerms of ServiceLookup