InboxMD is an AI-powered tool that helps physicians draft replies to patient InBasket messages. It learns your writing style and generates responses in your voice.

Is InboxMD HIPAA compliant?

Yes. InboxMD never stores patient messages or AI drafts. All PHI exists only in your browser during the active session. Infrastructure runs on AWS with a signed Business Associate Agreement.

Does InboxMD work with Epic?

Yes. InboxMD works with Epic, Cerner, and any EHR. Simply copy a patient message, paste it into InboxMD, and copy the AI draft back to your EHR.

How much does InboxMD cost?

InboxMD costs $35/month or $299/year. There is a 14-day free trial with no credit card required.

Does InboxMD store patient data?

No. InboxMD has a zero-PHI-persistence architecture. Patient messages and AI drafts are never written to any database. They exist only in your browser during the active session.

Privacy Policy

Last updated: April 1, 2026

Introduction

This Privacy Policy describes how Aether Practice Solutions Inc., doing business as InboxMD ("InboxMD," "we," "us," or "our"), collects, uses, and protects information when you use our AI-powered InBasket message drafting service at inboxmd.ai (the "Service"). We are committed to protecting your privacy and complying with all applicable laws, including the Health Insurance Portability and Accountability Act (HIPAA).

HIPAA Compliance

Aether Practice Solutions Inc. operates as a Business Associate under HIPAA. We enter into a Business Associate Agreement (BAA) with each subscribing physician or practice. A copy of the BAA is available for download in your account Settings.

Information We Collect

We collect the following categories of information:

Account information: Email address, full name, National Provider Identifier (NPI), and practice location.
De-identified messaging patterns: Aggregated, de-identified data about your writing style and preferences, used to personalize AI drafts to match your voice.
Usage logs: Timestamps, feature usage, session duration, and other non-PHI operational data.
Billing information: Payment details are processed and stored by Stripe. We do not store credit card numbers on our servers.

Information We Do NOT Collect or Store

InboxMD maintains a strict zero-PHI-persistence policy. We do not collect, store, or retain:

Patient messages: The content of InBasket messages you paste into the Service is processed in real time and never stored.
AI-generated drafts: Draft responses are streamed to your browser and never persisted on our servers.
Chart notes, lab results, or clinical data: Any chart context you provide is used solely for the current drafting session and is immediately discarded.

Protected Health Information (PHI) passes through our infrastructure only transiently during AI inference and is never written to any database, log file, or persistent storage.

How We Use Your Information

Authentication: To verify your identity and manage your account.
AI personalization: De-identified writing patterns are used to tailor AI-generated drafts to your communication style.
Usage tracking: Non-PHI usage data helps us improve the Service and diagnose technical issues.
Billing: To process subscription payments and manage your plan.

Third-Party Services

We work with the following third-party providers, each covered by a signed Business Associate Agreement (BAA):

Amazon Web Services (AWS): Infrastructure hosting, database services, and AI inference via AWS Bedrock. All services are covered under a signed AWS BAA.
Stripe: Payment processing and subscription billing. Stripe maintains its own BAA and PCI DSS compliance.

We do not use any third-party analytics, error tracking, or advertising services that are not covered by a BAA.

Data Security

We employ industry-standard security measures to protect your data:

Encryption at rest: All stored data is encrypted using AES-256.
Encryption in transit: All data transmitted between your browser and our servers is protected with TLS (HTTPS).
API key security: API keys and secrets are hashed using SHA-256 and never stored in plaintext.
Infrastructure: Our database resides in a private subnet with no direct internet access. All access is controlled via security groups and IAM policies.

Data Retention

User profile data: Retained until you delete your account.
De-identified messaging patterns: Retained until you delete your account.
Usage logs: Retained until you delete your account.
Protected Health Information (PHI): Never stored. PHI is processed transiently and immediately discarded after each drafting session.

Your Rights

You have the right to:

Delete your account: You may delete your account at any time from your account Settings. All associated data will be permanently removed.
Export your data: You may request an export of your account data at any time.
Download your BAA: A copy of your Business Associate Agreement is available for download in your account Settings.

Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a notice on our website prior to the change taking effect.

Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us at support@inboxmd.ai.