Unit 387’s (“Unit 387,” “we,” “us,” or “our”) Individual Access Service (“IAS”) platform provides individuals with a single point of access to all their health information, no matter where that information exists, on demand.

This Individual Access Service Privacy and Security Notice (“IAS Privacy and Security Notice”) describes how we may access, exchange, use, and disclose your individually identifiable information as an IAS Provider in connection with the Trusted Exchange Framework and Common Agreement (“TEFCA”), and your rights with respect to such individually identifiable information. Individual identifiable information is information that identifies you or with respect to which there is a reasonable basis to believe that the information could be used to identify you. Information that is de-identified is not individually identifiable information.

This IAS Privacy and Security Notice is intended to fulfill the requirements of the U.S. Department of Health and Human Services (“HHS”), Assistant Secretary for Technology Policy (“ASTP”) / Office of the National Coordinator for Health IT (“ONC”) and the Recognized Coordinating Entity (“RCE”) with respect to our participation in TEFCA as an IAS Provider. Please know that this Notice is limited to our TEFCA participation as an IAS Provider. Other notices and policies may apply to how your individually identifiable information is processed by us outside of TEFCA or if we are processing your individually identifiable information on behalf of your health care provider, health plan, or other third party who also participates in TEFCA.

This IAS Privacy and Security Notice supplements and is in addition to our Privacy Policy. To the extent this IAS Privacy and Security Notice conflicts with our general Privacy Policy, this IAS Privacy and Security Notice controls with respect to the individually identifiable information we collect about you through our TEFCA connection.

When you use one of our customers’ digital properties to create a personal health record, you may be introduced to Unit 387 as their secure data intermediary partner. In this role, we will retrieve your individually identifiable information from other sources on your behalf and transfer it to the customer’s digital property. As our customers’ service provider, our contractual obligations are not with you, but with our customer. Any information we collect, process, or transfer on your behalf is governed by their terms of service and privacy notices with you.

Unit 387’s obligations under this ISA Privacy and Security Notice will continue for as long as we maintain individually identifiable information.

Information We Collect

We may collect the following types of individually identifiable information:

• Name
• Address
• Email address
• Telephone number
• Gender
• Date of birth
• Unique user ID in CLEAR
• IP address
• Browser type
• Health information, including medical records.

How Information is Used

We may use individually identifiable information for any of the following purposes:

• To provide, troubleshoot, and improve our IAS;
• To locate, access, and retrieve your health information;
• To create and manage your profile;
• To prove when and from which device you consented to the IAS Privacy and Security Notice;
• To verify that the individual requesting health information is the subject of such information;
• To prevent health information from being released to the wrong individual(s);
• For security, to prevent and detect fraud or illegal activities, and for archival and backup purposes in connection with the provision of the IAS;
• To respond to your inquiries and communicate with you;
• For our other business purposes, such as data analytics, to fix errors with our IAS, accounting, auditing, reporting, and to create de-identified and aggregate statistics;
• As we believe to be necessary or appropriate: (i) under applicable law; (ii) to comply with legal process; (iii) to respond to requests from public and government authorities; (iv) to enforce this IAS Privacy and Security Notice; (v) to protect our operations; (vi) to protect our rights, privacy, safety or property, and/or that of you or others; and (vii) to allow us to pursue available remedies or limit the damages that we may sustain.

Unit 387 will not access, exchange, use, and/or disclose your information to assert any type of claims against you, except (if applicable) to collect fees or costs for services you requested.

Disclosure of Information

We may disclose your individually identifiable information:

• With Our Customers. Unit 387 shares your personal health record with the customer whose digital property you are using to access our IAS. The customer’s end user terms of service and privacy policy govern the processing of your individually identifiable information for this purpose.
• With Health Data Connections. Unit 387 shares individually identifiable information as necessary with other companies and organizations to support your ability to access and exchange your personal health records. This includes minimum demographic information for fraud protection.
• With Your Consent. We share your individually identifiable information with those you have directed us to release your information to.
• With Third Party Service Providers Performing Services on Our Behalf. We share your individually identifiable information with our service providers to perform the functions for which we engage them. For example, we may use third parties to host our IAS or assist us in providing functionality on our IAS, provide identity verification, and provide data analytics on our IAS.
• Changes of Control. We reserve the right to transfer or assign the information that we have collected about you in connection with a corporate transaction, such as a divestiture, merger, consolidation, or asset sale, or in the unlikely event of bankruptcy.
• For Legal Purposes. We also may share individually identifiable information as needed to enforce our rights, protect our property or protect the rights, property or safety of others, or as needed to support external auditing, compliance and corporate governance functions. We will disclose individually identifiable information as we deem necessary to respond to a subpoena, regulation, binding order of a data protection agency, legal process, governmental or law enforcement request or other legal or regulatory process. We may also share individually identifiable information as required to pursue available remedies or limit damages we may sustain.

If we receive a civil or criminal subpoena, court order, search warrant, or other demand for compulsory disclosure or law enforcement request for your individually identifiable information that we obtained in connection with our TEFCA connection, we will provide written or electronic you within three (3) business days, unless we are prohibited by law from doing so (e.g., under the Patriot Act). To the extent permitted by applicable law, you will be afforded the right to object to the production of the individually identifiable information, seek a protective order or other appropriate remedy consistent with applicable. Unless required by law to do so, we will use our best efforts to not share your individually identifiable information related to reproductive health care services or gender affirming care in response to subpoenas, court orders, or law enforcement requests. However, please note that there may be circumstances in which we are required by law to share this information as part of a legal process.

We will also provide written or electronic notice (unless prohibited by law) within three (3) business days of Unit 387 making your individually identifiable information available to law enforcement agencies, including through the sale of individually identifiable information.

All disclosures through TEFCA are in accordance with the permitted and required uses and disclosures specified in the Common Agreement and applicable HHS guidance.

We do not intend to sell the individually identifiable information we obtain through our TEFCA connection to third parties. We will ask for your consent before engaging in the sale of your individually identifiable information.

Data Security

Under TEFCA, we are required to act in accordance with this IAS Privacy and Security Notice and Section 10 of the Common Agreement. Unit 387 uses commercially reasonable efforts to protect individually identifiable information from unauthorized access or illegal access, modification, use, or destruction.

Unit 387 encrypts all individually identifiable information that we hold, both in transit and at rest, regardless of the source.

Unit 387 must notify individuals whose individually identifiable information has been or is reasonably believed to have been affected by: (i) an unauthorized acquisition, access, disclosure, or use of unencrypted individually identifiable information that does not qualify for an exception; and (ii) other security events that are set forth in the Standard Operating Procedure (SOP): TEFCA Security Incident Reporting (“IAS Incident”).

Unit 387 also requires its service providers, with whom we share individually identifiable information, to agree to the same standards and practices that we follow, maintain reasonable security measures, and comply with applicable law.

Data Retention

We retain individually identifiable information for as long as necessary to fulfill the purpose for which it was collected, or as required by applicable laws or regulations.

Consent

Before we access, exchange, use, or disclose your individually identifiable information (except where disclosures are required by law) and before we use your individually identifiable information in a manner materially different than in this IAS Privacy and Security Notice when such information was collected, we will ask you for your express, written, and informed consent (“IAS Consent”). We may collect this IAS Consent electronically or in paper form.

You may revoke your IAS Consent at any time through the Unit 387 website or by using the revoke consent link in every email communication we send to you. Once you revoke your IAS Consent, you will not be able to access our IAS or your health information until you sign a new IAS Consent. Your revocation will not affect any action we’ve taken in reliance on your IAS Consent prior to the date of such revocation.

Your Rights

You have the right to:

• Require that all the individually identifiable information that we maintain in connection with our IAS be deleted completely, to the extent technically feasible, with respect to any future uses or disclosures, unless such deletion is prohibited by law; provided, however, that the foregoing shall not apply to individually identifiable information contained in audit logs;
• Access your individually identifiable information that we maintain in connection with our IAS;
• Obtain an export of your individually identifiable information in a machine-readable format, including the means to interpret such machine-readable format; and
• Be notified in the event your individually identifiable information is reasonably believed to have been affected by an IAS Incident.

Unit 387 supports an individual’s right to access their health information and to exercise their individual rights at no cost to the individual. However, if we were to charge an individual fees or costs for our IAS, you would be notified in advance. We also reserve the right to charge businesses fees and costs for services provided to them or on their behalf, or for other work we may do for them, such as identity verification and data delivery.

REQUEST-ONLY IAS PROVIDER: UNIT 387 DOES NOT PROVIDE BIDIRECTIONAL SERVICES. YOU WILL HAVE THE ABILITY TO REQUEST ACCESS TO YOUR HEALTH INFORMATION VIA TEFCA EXCHANGE. YOU WILL NOT BE ABLE TO USE UNIT 387 TO SHARE YOUR HEALTH INFORMATION WITH OTHER PARTICIPANTS IN TEFCA.

HIPAA

The Health Information Portability and Accountability Act and its implementing regulations (collectively, “HIPAA”) is U.S. federal privacy law that protects health information when it is maintained by certain HIPAA-regulated entities. Unit 387 considers itself a business associate under HIPAA. As a business associate, we provide services to HIPAA-covered entities, such as health care providers, health plans, and clearinghouses. When we do so, how we use and disclose protected health information is determined by our contracts with those HIPAA-covered entities. If you have questions about how your health care provider or health plan may use and disclose your protected health information, please read their HIPAA Notice of Privacy Practices or contact them directly.

De-Identified Data

We may de-identify and/or aggregate individually identifiable information, including protected health information, in accordance with the HIPAA de-identification standards at 45 CFR 164.514(b), in connection with our services or for our internal business purposes, such as creating usage data. Usage data reflects general patterns and trends about how users interact with our IAS (for example, feature utilization, navigation flows, and performance metrics) but does not identify any individual user. We use usage data to analyze, maintain, and improve the functionality, performance, and user experience of our IAS and related services. We may also create, use, and disclose de-identified data if: (1) required to do so by applicable law; or (2) as may be permitted by applicable law, if you consent to it.

Questions / Contact Us

If you have any questions regarding this IAS Privacy and Security Notice, please contact us at:

Unit 387, LLC

Privacy Office

3838 Oak Lawn Avenue, Ste 1000

Dallas, TX 75219

Telephone: 469-871-6161

Email: privacy@unit387.com

Notification of Changes

Any changes to this IAS Privacy and Security Notice will be posted to this page so users are always aware of the information we collect and how we use it. Accordingly, please refer back to this IAS Privacy and Security Notice frequently, as it may change. Additionally, if you have an active profile with us, we will notify you via email when and where this IAS Privacy and Security Notice is materially changed.