Compliance & Trust Center
Compliance isn't a feature. It's the foundation.
Every layer of this platform was engineered for healthcare from day one, not bolted on after the fact. This page is the section your attorney will want to review.
Infrastructure
Built for healthcare compliance from the ground up.
Four pillars of compliance infrastructure that protect your brand, your patients, and your business.
HIPAA-Compliant Infrastructure
Patient data is encrypted at rest (AES-256) and in transit (TLS 1.2+). Access controls, audit logging, and breach notification protocols are built into the core architecture. Infrastructure is purpose-built for protected health information.
- AES-256 encryption at rest
- TLS 1.2+ encryption in transit
- Role-based access controls
- Complete audit logging
- Documented breach notification procedures
Licensed Provider Network
Providers include licensed physicians, nurse practitioners, and PAs credentialed across all 50 states. Every consultation follows that state's specific telehealth prescribing laws. Regulatory changes are monitored at the platform level.
- Credentialed across all 50 states
- State-specific prescribing law compliance
- Automated state-aware patient routing
- Continuous regulatory monitoring
Verified Pharmacy Network
Every pharmacy holds active state board licenses and undergoes regular inspection. For compounded products, the network includes exclusively 503A and 503B-compliant compounding pharmacies. Chain of custody is documented from prescription to doorstep.
- Active state board licenses verified
- 503A/503B compounding compliance
- Documented chain of custody
- Regular third-party inspection
BAA Execution & Maintenance
A Business Associate Agreement isn't optional when handling PHI. It's the law. BAAs are executed as a standard part of onboarding. The legal team maintains them as regulations evolve.
- Executed with every customer at onboarding
- BAAs at every layer of the infrastructure stack
- Maintained and updated as regulations change
- Covers all administrative, physical, and technical safeguards
SOC 2 Type II Audit In Progress
Our infrastructure is built to SOC 2 Type II standards. Independent audit is underway with expected completion in Q3 2026. SOC 2 provides independent third-party verification of security controls, availability, and confidentiality practices.
Responsibilities
You run the brand. We run the compliance.
Telehealth compliance is a full-time job. Here's what the platform handles so you can focus on building your business.
You don't need to become a healthcare compliance expert. You need a platform built by people who already are.
Compliance FAQ
The questions your attorney will ask. Answered.
Legal Documentation
Policies, notices, and agreements.
Privacy Policy
Effective Date: February 2026
Information We Collect
Rowan Care collects information necessary to provide and improve our platform services. This includes:
- Account information: name, email address, company name, and role provided during registration
- Platform usage data: interactions with the dashboard, analytics preferences, and configuration settings
- Protected health information (PHI): handled in accordance with HIPAA regulations and the terms of your Business Associate Agreement
- Payment information: processed by PCI-DSS compliant third-party payment processors; we do not store full payment card details
How We Use Your Information
We use collected information to provide platform services, maintain and improve the platform, communicate about your account, and comply with legal obligations. We do not sell personal information. We do not use PHI for marketing or advertising purposes.
Data Security
We implement administrative, physical, and technical safeguards to protect your information. Patient data is encrypted at rest (AES-256) and in transit (TLS 1.2+). Access is controlled through role-based permissions with complete audit logging.
Third-Party Sharing
We share information only as necessary to provide platform services: with licensed providers for clinical consultations, with licensed pharmacies for prescription fulfillment, and with infrastructure partners under signed Business Associate Agreements. We do not sell or rent personal information to third parties.
Your Rights
You may request access to, correction of, or deletion of your personal information by contacting us at [email protected]. For requests related to protected health information, please refer to our HIPAA Notice below.
Contact
For privacy-related questions: [email protected]
HIPAA Notice of Privacy Practices
Effective Date: February 2026
About This Notice
This notice describes how medical information about patients may be used and disclosed through the Rowan Care platform, and how patients can get access to this information. This notice applies to all protected health information (PHI) maintained by Rowan Care on behalf of brands operating on the platform.
Uses and Disclosures of PHI
PHI may be used or disclosed for the following purposes without additional authorization:
- Treatment: Sharing information with licensed providers for clinical evaluations, prescribing decisions, and follow-up care
- Payment: Processing payments for services rendered through the platform
- Healthcare operations: Quality assessment, compliance monitoring, and platform improvement activities
Patient Rights
Patients have the right to: request restrictions on certain uses and disclosures; receive confidential communications; inspect and copy their PHI; request amendments to their records; receive an accounting of disclosures; and obtain a copy of this notice. Brands operating on the platform are responsible for communicating these rights to their patients and facilitating requests.
Our Responsibilities
We are required to: maintain the privacy of PHI; provide notice of our legal duties and privacy practices; notify affected individuals and the Department of Health and Human Services in the event of a breach of unsecured PHI; and abide by the terms of our Business Associate Agreements.
Safeguards
We implement all safeguards required by the HIPAA Security Rule, including access controls, audit controls, integrity controls, transmission security, and administrative procedures. Our infrastructure undergoes regular third-party security assessments.
Contact
For HIPAA-related inquiries: [email protected]
Terms of Service
Effective Date: February 2026
Platform Description
Rowan Care provides a technology platform that enables brands to operate telehealth storefronts. The platform connects brands with licensed provider networks, licensed pharmacy fulfillment partners, and compliance infrastructure. Rowan Care is not a healthcare provider, does not practice medicine, and does not operate a pharmacy.
Brand Responsibilities
Brands operating on the platform are responsible for: maintaining appropriate business entity structures; obtaining necessary business licenses and insurance; complying with all applicable marketing and advertising regulations; and working with qualified legal counsel to ensure their business operations comply with applicable laws.
Clinical Services Disclaimer
All clinical services, including patient evaluations, prescribing decisions, and clinical consultations, are provided by independently licensed healthcare providers. The platform facilitates the connection between patients and providers but does not direct, supervise, or influence clinical decision-making. Prescribing decisions are made solely by licensed providers based on independent clinical judgment.
Pharmacy Fulfillment
Prescriptions are fulfilled by independently licensed pharmacies in the platform's network. These pharmacies are regulated entities operating under their own state board licenses. Rowan Care facilitates the fulfillment workflow but does not dispense medications.
Limitation of Liability
To the maximum extent permitted by law, Rowan Care's liability is limited to the fees paid by the brand during the twelve months preceding the claim. Rowan Care is not liable for clinical outcomes, prescribing decisions, or pharmacy errors, as these are the responsibility of the independently licensed providers and pharmacies on the network.
Contact
For terms-related questions: [email protected]
Business Associate Agreement (BAA)
Effective Date: February 2026
What Is a BAA?
A Business Associate Agreement is a legally binding contract required by HIPAA whenever a business associate creates, receives, maintains, or transmits protected health information (PHI) on behalf of a covered entity. The BAA establishes the permitted uses and disclosures of PHI and requires appropriate safeguards.
Our BAA Practice
Rowan Care executes a BAA with every brand on the platform as a standard part of onboarding. This is not optional. It is a legal requirement when handling PHI. The BAA covers:
- Permitted uses and disclosures of PHI
- Requirements for safeguarding PHI
- Breach notification obligations and timelines
- Requirements for return or destruction of PHI upon termination
- Provisions for subcontractor agreements
Infrastructure BAAs
In addition to the BAA with each brand, Rowan Care maintains signed BAAs with all infrastructure partners that may access or process PHI, including cloud hosting providers, communication platforms, and analytics services. This ensures HIPAA compliance at every layer of the technology stack.
BAA Execution Timeline
BAAs are executed during the onboarding process before any PHI is processed through the platform. The typical timeline is:
- Draft BAA provided during onboarding kickoff
- Brand's legal counsel reviews and negotiates terms if needed
- Final BAA executed before platform access is granted
- BAA maintained and updated as regulations evolve
Request a BAA
To request a copy of our standard BAA for review: [email protected]
Questions?
We take compliance seriously. Let's talk specifics.
Request early access and we'll walk through our compliance infrastructure in detail, including anything your legal team needs to review.
Request Early AccessYour patients' data is protected by the same infrastructure standards used by major health systems.