TEFCA Privacy and Security Notice Addendum

HDX Labs, Inc. (dba HealthEx)
Effective Date: August 4, 2025

1. Purpose and Scope

This HealthEx Privacy and Security Notice (“Notice”) describes how HDX Labs, Inc. doing business as HealthEx (“HDX,” “HealthEx,” “we,” “us” or “our”) may: 

• Access, exchange, use, disclose, and store your individually identifiable information as an Individual Access Service Provider in connection with our Trusted Exchange Framework and Common Agreement (“TEFCA”) connection; and 

• Your rights with respect to such individually identifiable information. 

Individually identifiable information is information that identifies you or for which there is a reasonable basis to believe that it could identify you. Information that is de-identified is not individually identifiable information. This Notice is in addition to the HealthEx Privacy Policy (https://www.healthex.io/privacy-policy) applicable to your use of our Platform. To the extent this Notice conflicts with our general HealthEx Privacy Policy, this Notice controls with respect to the individually identifiable information we collect about you through our TEFCA connection.  

This Notice is intended to fulfill the requirements of the U.S. Department of Health and Human Services (HHS), Assistant Secretary for Technology Policy (ASTP) / Office of the National Coordinator for Health IT (ONC) and the Recognized Coordinating Entity (RCE) with respect to our participation in TEFCA as an Individual Access Service Provider. Please know that this Notice is limited to our TEFCA participation as an IAS Provider. Other notices and policies may apply to how your individually identifiable information is processed by us outside of TEFCA or if we are processing your individually identifiable information on behalf of your health care provider, health plan, or other third party who also participates in TEFCA.   

2. Who We Are and What is TEFCA

About HealthEx. HealthEx is an entity that operates as a modern data rights management platform enabling patients and health care organizations to manage data access, consent, and compliance efficiently and transparently (the “Platform”). Our Platform provides:

• A Patient Data Rights Management Portal to administer and manage consents;

• A TEFCA on-ramp for full medical record retrieval across Qualified Health Information Networks (QHINs), like MedAllies; and

• An Enterprise Data Policy Engine to accelerate compliant reviews of data requests

We operate within cloud-based infrastructure hosted by AWS and implement layered defenses across systems and services.

What is TEFCA? TEFCA is a contractual framework for supporting nationwide health information exchange between and among QHINs and their participants and subparticipants. A QHIN is a technology company that has been approved by a government-established process to provide the technical backbone to support electronic health information exchange. Participants and subparticipants in TEFCA include health care providers, health plans, public health authorities and governmental agencies, individual access service providers and the individuals and entities who support them. You can learn more about the types of individuals and entities that participate in TEFCA by reading this Standard Operating Procedure (SOP): Types of Entities That Can Be a Participant or Subparticipant in TEFCA.  

TEFCA permits QHINs, participants, and subparticipants to participate in different use cases that are called exchange purposes. One of those exchange purposes includes providing individuals with access to their health information, called Individual Access Services (“IAS”). Organizations that have a direct contractual relationship individuals to support their right of access are called Individual Access Services Providers (“IAS Providers”). HealthEx is an IAS Provider with respect to certain IAS services it offers through its TEFCA connection. 

If you are interested in learning more about TEFCA, please read this Fact Sheet about how individuals can access their health information via TEFCA: https://rce.sequoiaproject.org/rce-tefca-for-individuals/. 

3. Privacy Commitments

HealthEx adheres to applicable federal and state privacy laws and TEFCA privacy and security requirements when we process your individually identifiable information through our TEFCA connection. Specifically, we commit to the following:

• IAS Consent: Before we engage in patient-directed data sharing through our TEFCA connection, we will ask you for your express, written and informed consent first. We call this consent our Individual Access Services Consent (“IAS Consent”). We may collect this IAS Consent electronically or in paper form. You can revoke your IAS Consent at any time as explained later in this Notice, see Section 10. If you revoke your IAS Consent you will not be able to access our IAS services through our TEFCA connection after that, unless you sign a new IAS Consent. 

• Confidentiality: We use commercially reasonable efforts to protect individually identifiable information from unauthorized or illegal access, modification, use, or destruction.

• Data Minimization: We only collect and use the minimum necessary amount of individually identifiable information as necessary to fulfill the permitted uses described in this Notice.

• Exchange Purpose Limitation: When individually identifiable information is accessed, used, or disclosed through TEFCA it is only done for permitted TEFCA exchange purposes.

• Individual Rights: Individuals can access, request correction, or request deletion of their individually identifiable information as explained in this Notice (see section below on Individual Rights and Contact Information and our HealthEx Privacy Policy).

• Transparency: Our practices and responsibilities are communicated through policies, agreements, and user notifications.

Our full HealthEx Privacy Policy can be found here: https://healthex.io/privacy-policy.

4. Security Measures

HealthEx implements security safeguards aligned with industry standards and SOC 2 controls to protect individually identifiable information, including:

• Access Controls: Role-based access, least privilege, and multi-factor authentication (MFA) are required for all systems with individually identifiable information.

• Encryption: All individually identifiable information is encrypted in transit and at rest using industry standard encryption measures. We do this regardless of whether we obtained the individually identifiable information through our TEFCA connection.

• Security Testing: Annual third-party penetration testing is conducted.

• System Monitoring: We continuously monitor for anomalies via infrastructure monitoring tools and intrusion detection systems (IDS).

• Incident Response: We maintain a formal incident response plan, including 24/7 on-call escalation procedures and post-incident review processes.

• Business Continuity: Disaster recovery plans are documented and tested annually.

5. Compliance Framework

HealthEx’s internal security, privacy and compliance program is structured to meet or exceed the following standards:

• AICPA Trust Services Criteria (SOC 2 – Security, Availability, Confidentiality)

• NIST SP 800-53a (moderate baseline, per Cacilian audit methodology)

• TEFCA security and privacy principles as defined in the Participant/Subparticipant Terms of Participation (ToPs) and the Standard Operation Procedure (SOP): Individual Access Service (IAS) Provider Requirements. 

All employees undergo background checks, complete annual privacy and security awareness training, and sign confidentiality agreements.

6. Use and Disclosure of Your Individually Identifiable Information

• Permitted Uses and Disclosures on TEFCA:
  When participating in TEFCA, HealthEx uses and discloses your individually identifiable information to QHINs, their participants and subparticipants, and other individuals and entities only when allowed under TEFCA, applicable law, and applicable HHS guidance. That means we may use and disclose your individually identifiable information to other individuals and entities that participate in TEFCA or that may request it for the following exchange purposes:

  • Treatment

  • Payment

  • Health Care Operations, including without limitation care coordination / case management, HEDIS reporting, and quality measure reporting

  • Public Health, including electronic case reporting and lab reporting

  • Individual Access Services (IAS)

  • Government Benefits Determinations 

  • Any other exchange purposes approved by ASTP/ONC and RCE as permitted or required by the Participant/Subparticipant Terms of Participation (ToPs).

As an IAS Provider, HealthEx’s primary exchange purpose is Individual Access Services or IAS. However, we may participate in other exchange purposes and may disclose your individually identifiable information through TEFCA for any of the exchange purposes listed above in accordance with TEFCA requirements and if permitted by applicable law. 

You can learn more about the TEFCA exchange purposes by reading this Standard Operating Procedure (SOP): Exchange Purposes (XPs). Please know that the government may decide to change these SOP documents at any time and that we will follow the most current version of these documents. Please also know that once an individual or entity receives your individually identifiable information for one of these purposes (such as another TEFCA participant or subparticipant) they may keep, use, and redisclose your individually identifiable information for purposes that are allowed by the laws, contracts, and policies that apply to them. We don’t have the ability to control how people (who are not our employees or contractors) who receive your individually identifiable information decide to use and disclose it. 

Once we receive your individually identifiable information from you, through TEFCA, or from other third parties, please also know that we may use and disclose your individually identifiable information outside of TEFCA for the other permitted uses and disclosures described in this Notice.

• Permitted Uses and Disclosures through other Health Information Networks/Exchanges (HIN/HIEs):

  We may participate in other HIN/HIEs that support use cases similar to the TEFCA exchange purposes described above. If we do, we will follow the rules of the road for those HIN/HIE with respect to how we use and disclose your individually identifiable information in connection with those HIN/HIEs. 

  
  

• Other Permitted Uses and Disclosures: 

  Outside of TEFCA or other HIN/HIEs that we may participate in, HealthEx will only use or disclose your individually identifiable information that was obtained through our TEFCA connection:

  • For the services that we are providing to you; 

  • For the proper management and administration of our business and our legal responsibilities, such as providing, operating, maintaining and securing our Platform;

  • To communicate with you about our Platform, including by sending you announcements, updates, security alerts, and support and administrative messages, and to respond to your requests, questions and feedback; 

  • As required by law and in response to legal process, such as subpoenas, court orders and law enforcement demands as further described in this Notice (see Section 12); 

  • With certain vendors, subcontractors, third-party service providers, and subservice organizations that assist us in the services and the proper management and administration of our business and legal obligations, as further described in this Notice (see Section 8); 

  • With your written or verbal consent or otherwise at your direction, including other third parties you have explicitly authorized; and

  • For the other purposes covered in our HealthEx Privacy Policy to the extent they do not conflict with the express use and disclosure restrictions in this Notice.

  
  

• No Marketing or Profiling:
  We do not intend to use or disclose the individually identifiable information we obtain through our TEFCA connection for advertising, profiling, or any other unauthorized purposes. We will ask for your consent before using your individually identifiable information for such purposes. 

  
  

• Not a HIPAA Entity, But Aligned:
  The Health Information Portability and Accountability Act and its implementing regulations (collectively, “HIPAA”) is U.S. federal privacy law that protects health information when it is maintained by certain HIPAA-regulated entities. As an IAS Provider, HealthEx is not directly regulated under HIPAA. But we follow TEFCA’s strict privacy and security requirements, which closely align with HIPAA’s privacy and security protections. 

  Please also know that we may also provide services to HIPAA-regulated entities, such as health care providers and health plans. When we do that, how we use and disclose protected health information is determined by our contracts with those HIPAA-regulated entities. If you have questions about how your health care provider or health plan and their business associates may use and disclose your protected health information, please read their HIPAA Notice of Privacy Practices or contact them directly.  

  
  

• No De-Identification:
  HealthEx does not anonymize or strip identifiers from your data for reuse by third parties.

  
  

• No Use Against You:
  HealthEx will never use your information to make claims against you, except (if applicable) to collect fees or costs for services you requested. 

7. Fees and Costs
HealthEx supports an individual’s right to access their health information and to exercise their individual rights at no cost to the individual. However, if we were to charge an individual fees or costs for our IAS services, those fees or costs will be listed on our website (healthex.io). We also reserve the right to charge fees and costs to businesses for services provided to them or on their behalf or for other work we may do for them around education, identity verification, consent management and data delivery.

8. Vendors, Subcontractors, Third-Party Service Providers and Subservice Organizations

We use trusted vendors such as Amazon Web Services (AWS) and Azure for infrastructure and hosting. These vendors have undergone industry standard security certification. Vendor risk assessments and subprocessor reviews are conducted annually. We may also contract with other types of vendors, subcontractors, third-party service provider and subservice organizations to assist us in providing the services and supporting the proper management and administration of our business and legal responsibilities. Our contracts with them require them to protect the confidentiality of individually identifiable information. 

9. Data Retention and Disposal

We retain the individually identifiable information obtained through our TEFCA connection for the minimum duration necessary (not to exceed 72 hours unless explicitly requested to do so by you or required by law) to fulfill the permitted purposes for which we are processing it. After this period of time, your individually identifiable information is securely deleted in accordance with industry standards or de-identified according to our Data Retention Policy. But please know that this deletion requirement does not apply to any individually identifiable information that may be contained in our audit logs or for which it is technically infeasible for us to completely delete. 

10. Individual Rights and Contact Information

You have the right to:

• Access your individually identifiable information anytime through our patient portal or by writing to us as described below.

• Download your individually identifiable information in a machine-readable format. You can download your individually identifiable information by going through the individual

• Request corrections to your individually identifiable information by writing to us at the address(es) listed below. 

• Request deletion of your individually identifiable information (except audit logs), unless prohibited by law. You can delete your full clinical record by going to the My Account page, and choosing to Delete your data. 

• Revoke your IAS Consent at any time via the patient portal’s "My Projects" page. This is simple, electronic, and immediate. Revoking the IAS Consent you gave to us stops us from continuing to request or disclose your individually identifiable information through our TEFCA connection, but does not undo our prior authorized requests or disclosures. It also does not stop any uses or disclosures that are either required by law or that are otherwise permitted by applicable law. 

• Get notified if your data is involved in an IAS Incident. An “IAS Incident” is one of the following: (a) an unauthorized acquisition, access, disclosure, or use of unencrypted individually identifiable information that does not qualify for an exception; and (b) other security events that are set forth in the Standard Operating Procedure (SOP): TEFCA Security Incident Reporting. 

• Submit requests to access, correct, or delete your individually identifiable information or to file a privacy or security complaint with us by contacting us at:

  HealthEx Security, Compliance and Privacy Team

  Email: security@healthex.io

  Mailing Address: 

  HDX Labs, Inc., 

  2021 Fillmore St PMB2352, 

  San Francisco, CA 94115

  USA

  Please know that we process your requests within a reasonable period of time. There may be instances where we need more information from you to process your request in accordance with applicable law and that some laws might prohibit us from honoring a request to delete individually identifiable information. 

• We document and track all privacy-related concerns according to our incident response process.

12. Legal Proceedings and Law Enforcement Requests 

If we receive a civil or criminal subpoena, court order, search warrant, or other demand for compulsory disclosure or law enforcement request for your individually identifiable information that we obtained in connection with our TEFCA connection, we will notify you within three (3) business days, unless we are prohibited by law from doing so (e.g., Patriot Act).

Unless required by law to do so, we will use our best efforts to not share your individually identifiable information related to reproductive health care services or gender affirming care in response to subpoenas, court orders, or law enforcement requests. However, please know that there may be circumstances in which we are required by law to share this information pursuant to such a legal process.

To the extent permitted by applicable law, you’ll have a chance to object or seek a protective order.

13. Changes to This Notice

• If we make material changes, we will update this Notice and let you know.

• All changes to this Notice will also be posted to our website at healthex.io/privacy. 

• This Notice remains in effect as long as we hold your individually identifiable information that we processed through our TEFCA connection.