|
TELEMEDIX, LLC PRIVACY AND SECURITY POLICY (Privacy and Security Notice) Effective Date: April 24, 2026 TEFCA IAS Provider Compliant — SOP v2.1 TeleMEDix PROVIDES BIDIRECTIONAL SERVICES. THIS GIVES YOU THE ABILITY TO REQUEST ACCESS TO YOUR HEALTH INFORMATION VIA TEFCA EXCHANGE AND TO HAVE THE OPTION TO SHARE YOUR HEALTH INFORMATION WITH OTHER PARTICIPANTS IN TEFCA. |
Thank you for being a part of the TeleMEDix community. This Privacy and Security Policy (this “Policy”) explains how TeleMEDix, Inc. (“TeleMEDix,” “we,” “us,” or “our”) collects, uses, stores, shares, and protects information when you visit www.telemedix.net (the “TeleMEDix Website”), use our mobile application (the “TeleMEDix App”), or interact with us in any other context in which we provide or link to this Policy (together, the “Services”).
TeleMEDix is an AI-enabled digital health services platform for patients and providers. Patients can access and manage their Lifetime Medical Records, collaborate with providers and clinical care teams, and benefit from AI-powered health monitoring, clinical decision support, prior authorization, telehealth, care coordination, and related services.
TeleMEDix participates in the Trusted Exchange Framework and Common Agreement (TEFCA) through the Kno2 Qualified Health Information Network (QHIN). All data sharing conducted through TEFCA is performed in accordance with the TEFCA Common Agreement and applicable U.S. Department of Health and Human Services (HHS) guidelines.
Please review this Policy, which is incorporated into and made part of our Terms of Use. By using the Services, you confirm that you understand and agree to the provisions contained in these documents. If you do not understand or agree with this Policy or our Terms of Use, please contact us using the information provided below. If you do not agree, you may not use the Services.
TABLE OF CONTENTS
- Key Definitions
- How We Collect Your Information
- How Your Information Is Stored
- How We Use Your Information
- Data Collection Technologies
- When We Share Your Information
- Patient Data and How We Access It
- Security Practices
- Patient Consent Requirements
- Your Rights
- Consent Revocation
- Data Sale and Data Sharing for Value
- Fees and Costs
- Law Enforcement and Legal Demands
- Data Breach Notification
- Note to International Users
- Children’s Privacy Rights
- Retention of Your Information
- Third-Party Links and Services
- Changes to This Policy
- How to Contact Us
1. KEY DEFINITIONS
“Aggregate Information” is information that has been combined with information about other users and analyzed or evaluated as a whole, such that no specific individual may be reasonably identified.
“Cookies” are small text files that are placed on your device by a webpage server. Cookies are uniquely assigned to your browser or device and can only be read by a web server in the domain that issued the Cookie to you.
“Health Care Providers” are providers, doctors, specialists, professionals, and other organizations who deliver health care services to you and/or participate in your treatment.
“Health Device Data” is any information derived from a mobile device or wearable fitness tracker that tracks or monitors behavior in a way intended to give you insight into physical activity and wellness.
“Patient Data” is any health-related information, including Protected Health Information (PHI) as defined under HIPAA, that we collect, receive, create, or maintain in connection with providing the Services to you.
“Personal Information” is any information that relates to you directly or indirectly, including but not limited to Patient Data, contact information, and Usage Information.
“Usage Information” is information that we automatically collect about your device and your use of the Services. This may include your IP address, domain server, device and browser type, referring webpage, and other statistics associated with the interaction between your browser or device and the Services.
“Web Beacons” (also known as “clear GIFs” and “pixel tags”) are small bits of code embedded in web pages or emails used to monitor the behavior of a website user or email recipient.
“Your Content” is the information, comments, photos, images, video, data, text, and other content that you may post, upload, store, share, send, or display through the Services. Your Content also includes any copies of or excerpts from medical records and Personal Information that you upload to the Services.
“TEFCA” refers to the Trusted Exchange Framework and Common Agreement, a national framework for health information exchange administered by The Sequoia Project under the direction of the Office of the National Coordinator for Health Information Technology (ONC).
“QHIN” refers to a Qualified Health Information Network, a network that has signed the TEFCA Common Agreement and facilitates the exchange of health information among its participants.
2. HOW WE COLLECT YOUR INFORMATION
We may collect your information in the following ways:
When you voluntarily share your information with us. We will ask you to provide us with information in order to access certain features of TeleMEDix. For example, when you create an account, we may ask for your name, contact information, date of birth, and health information. When you create a profile, we may collect your photos and additional information. We may also conduct surveys or polls.
When you use interactive tools on the TeleMEDix App. We may collect your information when you use interactive tools such as uploading medical records (including C-CDA documents), syncing Health Device Data, or using AI-powered clinical decision support features.
When you submit content. Certain features may allow you to communicate Your Content on public forums or to share it with Health Care Providers. When you share Content in this way, you do so at your own risk.
Automatically through your use of the TeleMEDix Website. When you navigate our Website, we and our service providers may collect Usage Information through Cookies, Web Beacons, and other identifiers (collectively, “Data Collection Technologies”). See the Data Collection Technologies section below.
Through TEFCA Exchange. When you use our Individual Access Services (IAS), we may receive health information about you from other participants in the TEFCA network, including hospitals, clinics, laboratories, and other healthcare organizations. Before this occurs, you will be asked to provide your express, informed consent.
From social networks and other third parties. We may collect your information from sources other than you, such as from social networks, other users, and our business partners. Your interactions with social networks are governed by that network’s privacy statement.
If you choose not to provide us with any of your information, you may still access some of our Services, though certain features requiring your information may not be available.
3. HOW YOUR INFORMATION IS STORED
Your information, including Patient Data and Your Content, is stored using secure, enterprise-grade cloud infrastructure. All Patient Data is encrypted both in transit (when being sent between systems) and at rest (when stored on our servers). We employ industry-standard encryption protocols, access controls, audit logging, and network security measures to protect the confidentiality, integrity, and availability of your data.
TeleMEDix maintains access to information stored with our cloud infrastructure providers for the purposes described in this Policy. Please refer to the Security Practices section below for more information.
4. HOW WE USE YOUR INFORMATION
We use your information to operate, provide, analyze, and improve the Services, consistent with our commitments in this Policy. These activities include:
Provide you the Services and fulfill your requests. We use your information to register you, administer your account and profile, enable transactions, and provide you the information and services that you request, including health care information, clinical decision support, telehealth, care coordination, and related services.
Facilitate health information exchange. With your consent, we use your information to request, receive, and share health records through TEFCA and Carequality networks, enabling your Lifetime Medical Record aggregation and care coordination with your providers.
Communicate with you. We may contact you to share information and marketing materials that we think might be of interest to you. You may unsubscribe from marketing emails by emailing us at support@telemedix.net or using the unsubscribe link in the email. We may also send you administrative messages such as support updates, technical notices, security alerts, and notices about changes to this Policy or our Terms of Use.
Enhance your experience. We use your Usage Information to personalize and enhance your experience, such as tailoring content and remembering your preferences.
Monitor, improve, and develop new Services. Your information helps us improve the content and functionality of our Services. We may use demographics, interests, uploaded Content, and usage patterns to create new features and content, and to monitor and analyze trends, usage, and activities.
Prevent illegal activities. We use your information to detect, investigate, and prevent fraudulent transactions and other illegal activities, and to protect the rights and property of TeleMEDix, our users, and others.
De-identified and Aggregate Information. We may de-identify or aggregate your information with other users. Any de-identification process will follow recognized standards (such as the HIPAA Safe Harbor or Expert Determination methods). De-identified or Aggregate Information may be used by us for lawful purposes, including analytics and research.
Your Patient Data will not be used to make any claim or assertion against you, except as necessary for TeleMEDix to collect fees for the Services.
5. DATA COLLECTION TECHNOLOGIES
We use Cookies and other Data Collection Technologies to provide you with a better experience when you use the Services. Data Collection Technologies help us remember your settings and preferences and keep your information safe and secure.
For example, we may partner with analytics providers such as Google Analytics, which use Cookies to track your interactions with our Website. These providers collect information and report it to us without identifying individual users. For more information on Google Analytics, visit https://support.google.com/analytics.
Although most browsers and devices accept Cookies by default, their settings usually allow you to clear or decline Cookies. If you disable Cookies, some features of the Services may not function properly.
Do Not Track: Some web browsers incorporate a “Do Not Track” (DNT) feature. Many websites, including ours, do not currently respond to web browser DNT signals. For more information, visit http://allaboutdnt.com.
6. WHEN WE SHARE YOUR INFORMATION
We may share your information for the reason(s) disclosed to you at the time we collect it, with your consent, and in the following ways:
At your direction. We will share your information with third parties when you direct us to. For example, you may ask us to share your health information with your Health Care Providers or authorize sharing with third-party researchers for scientific research purposes.
With pharmaceutical companies and research organizations. With your separate, express consent, we may share your Patient Data with pharmaceutical companies, research organizations, and similar entities on your behalf. These arrangements may involve the provision of free services to you, or predefined remuneration to you or TeleMEDix, depending on the organization and the nature of the engagement. The specific terms, including any compensation or services involved, will be disclosed to you before you provide consent. This type of data sharing requires a separate “Consent to Sale” authorization, which is distinct from your general consent to this Policy. See Section 12 (Data Sale and Data Sharing for Value) for full details.
Through TEFCA Exchange. With your express consent, we may share your health information with other TEFCA participants for treatment, payment, health care operations, and Individual Access Services purposes, in accordance with the TEFCA Common Agreement and HHS guidelines.
With our service providers. We may share your Personal Information with our service providers as necessary to enable them to provide services to us. All service providers are required to maintain security standards at least as protective as those described in the Security Practices section of this Policy.
With our commonly owned entities. We may share your Personal Information with other companies under common ownership and control of TeleMEDix, including our subsidiaries, corporate parent, or any other subsidiaries owned by our corporate parent, in order to provide you better service.
For legal purposes. We may share your Personal Information as reasonably necessary to comply with law or legal process, to detect, prevent, or address fraud, security or technical issues, to enforce this Policy and/or our Terms of Use, and to protect the rights, property, or safety of TeleMEDix, our users, and the public. See the Law Enforcement and Legal Demands section below for required patient notifications.
During a corporate transaction. If TeleMEDix is involved in a merger, acquisition, financing, or sale of business or assets, information collected from and about users may be transferred to one or more third parties involved in such a transaction.
De-identified or Aggregate Information. We may share Aggregate Information and other de-identified information with third parties for their own lawful purposes, and publicly disclose such information.
7. PATIENT DATA AND HOW WE ACCESS IT
When you use the TeleMEDix App, we retrieve your health information on your behalf from hospitals, clinics, laboratories, and other healthcare organizations through the Trusted Exchange Framework and Common Agreement (TEFCA) and the Carequality interoperability network. All data retrieval is performed through our Individual Access Services (IAS) at your direction and with your explicit authorization.
TeleMEDix is subject to HIPAA when providing services on behalf of healthcare providers, and applies the same HIPAA privacy and security protections to all Patient Data in every context, including when you use TeleMEDix to access your own health information directly. All disclosures through TEFCA are performed in accordance with the Common Agreement and applicable U.S. Department of Health and Human Services guidance.
Purpose Limitation
We use your Patient Data only to fulfill your requests and to provide the Services to you. We will not use your Patient Data for any secondary purpose without your explicit consent.
Identity Verification
Before you can use the TeleMEDix App to query for your health records through TEFCA and Carequality networks, you must complete identity verification at Identity Assurance Level 2 (IAL2). This may include providing a government-issued photo identification (such as a driver’s license or passport) and completing additional verification steps. This requirement protects you by ensuring that only verified individuals can access health records through our platform.
Your Authorization
By using the Individual Access Services features of the TeleMEDix App, you grant TeleMEDix explicit written authority to query TEFCA and Carequality networks on your behalf to retrieve your health information. This authorization remains in effect until you revoke your consent as described in Section 11 (Consent Revocation).
No Re-use of Patient Data
Your Patient Data belongs to you. TeleMEDix uses your data to provide the Services to you and does not acquire independent rights to your Patient Data by collecting or storing it. The following restrictions apply to all Patient Data we hold:
- We will not sell, license, aggregate, or re-disclose your Patient Data for our own commercial benefit, except where you have provided separate, explicit written authority (such as a Consent to Sale as described in Section 12).
- We will not re-use your Patient Data for internal analytics, product development, model training, or any purpose unrelated to providing the Services to you, unless the data has first been de-identified in accordance with HIPAA Safe Harbor or Expert Determination standards.
- Any sharing of your Patient Data with downstream recipients (such as pharmaceutical companies or research organizations) requires your separate, express written consent and is subject to the same No Re-use restrictions through binding contractual terms with the receiving party.
These protections apply to all Patient Data without exception, consistent with our obligations under the TEFCA Individual Access Services (IAS) provider requirements.
8. SECURITY PRACTICES
The security of your information is critically important to us. We use commercially reasonable efforts to protect Patient Data and all other Personal Information from unauthorized access, use, modification, disclosure, or destruction. Our security practices include:
- All Patient Data is encrypted both in transit (using TLS 1.2 or higher) and at rest (using AES-256 or equivalent encryption).
- Access controls, role-based authentication, and multi-factor authentication for system access.
- Comprehensive audit logging of all data access and system activities.
- Regular security assessments, vulnerability scanning, and penetration testing.
- Physical, administrative, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of information.
These security measures apply to all Patient Data we hold, including but not limited to data obtained through TEFCA.
All third-party vendors and service providers who access Patient Data are contractually required to follow security standards at least as protective as those described in this section.
Our privacy and security obligations continue for as long as we hold Patient Data, regardless of whether your account is active.
No data transmitted over the Internet is 100% secure, and we cannot guarantee the security of any information you transmit to or from our Services. However, we continuously work to improve our security measures.
9. PATIENT CONSENT REQUIREMENTS
Before you use the TeleMEDix Services for the first time, we will obtain your express, documented, and informed consent. You will be provided with sufficient context and information to understand what you are agreeing to before providing consent.
Consent may be collected via electronic signature or paper signature. All consent records are stored in a secure, auditable log sufficient to verify and validate consent if questioned.
If this Policy changes in a material (significant) way, we will obtain your consent again before the changes take effect with respect to your continued use of the Services.
TEFCA Exchange Consent
Before first use of our Individual Access Services (IAS), you will be given the choice of whether or not your data is shared through TEFCA Exchange. You may choose to request access to your health information via TEFCA without electing to share your information with other TEFCA participants. This choice will be presented to you clearly before you begin using the IAS.
10. YOUR RIGHTS
You have the following rights with respect to your Personal Information and Patient Data. We will honor these rights in accordance with applicable law:
Access your data. You have the right to access your own health data at any time through your TeleMEDix account.
Modify your data. We provide you with account settings and tools to access and manage the Personal Information associated with your TeleMEDix account. For data you cannot manage through the app, contact us using the information below.
Delete your data. You may request deletion of all your data held by TeleMEDix, where technically feasible and not prohibited by law. Audit logs are exempt from deletion requests. You can request deletion by contacting us at privacy@telemedix.net or through the in-app settings.
Export your data. You have the right to export your data in a machine-readable format (such as JSON or FHIR). Instructions on how to read and use your exported data will be provided with the export.
Receive breach notification. You have the right to be notified if your data is involved in a security breach. See the Data Breach Notification section below.
Choose TEFCA participation. You have the right to choose whether or not your data is shared through TEFCA Exchange. This choice will be offered to you before first use of our Individual Access Services.
Restrict processing. Applicable law may permit you to request restrictions on the way we process certain of your Personal Information. We will honor such restrictions in accordance with applicable law.
Opt out of marketing. You can opt out of marketing communications at any time by clicking the “Unsubscribe” link in any marketing email, or by contacting us at support@telemedix.net.
Managing Cookies. You have options to control how we and our service providers use Cookies, including the Google Analytics opt-out browser add-on and your mobile device’s privacy and advertising settings.
11. CONSENT REVOCATION
You may revoke your consent to the collection and use of your Patient Data at any time. The revocation process is designed to be simple and not complicated or time-consuming.
How to Revoke Consent
- In the TeleMEDix App: Navigate to Settings > Privacy > Revoke Consent, and follow the on-screen instructions.
- By email: Send a revocation request to privacy@telemedix.net.
- By phone: Call (949) 584-2964 and request consent revocation.
Please note that revoking your consent does not undo actions already taken before the revocation. Once consent is revoked, you will no longer be able to use the Individual Access Services (IAS) feature of TeleMEDix, although other features of the platform may still be available.
12. DATA SALE AND DATA SHARING FOR VALUE
TeleMEDix may share your Patient Data with pharmaceutical companies, research organizations, and similar entities on your behalf, where such sharing involves the provision of free services to you or predefined remuneration. The nature and amount of any compensation or services will vary depending on the organization and will be disclosed to you in advance.
TeleMEDix does not use Patient Data for targeted advertising or marketing to third parties.
Consent to Sale
Because sharing your Patient Data in exchange for value may constitute a “sale” of data under applicable law and TEFCA requirements, TeleMEDix will obtain a separate, clearly labeled consent specifically for this purpose (“Consent to Sale”). This consent:
- Will be presented separately and distinctly from your general consent to this Policy, so that you may knowingly and explicitly agree to or decline the data sharing.
- Will never be bundled with, hidden inside, or conditioned upon your acceptance of this Policy or any other general terms.
- May be collected at the same time as your general consent, but will be visually distinct and require separate acknowledgment.
- Will identify the specific organization(s) receiving your data, the purpose of the sharing, the type of data involved, and the nature of any compensation or free services.
You may decline to provide Consent to Sale without affecting your ability to use the other features of the TeleMEDix platform. You may also revoke a previously granted Consent to Sale at any time using the same methods described in Section 11 (Consent Revocation). Revocation does not undo data sharing that occurred before the revocation.
13. FEES AND COSTS
Access to TeleMEDix’s Individual Access Services (IAS), including health record retrieval, data export, and TEFCA exchange, is included with your paid TeleMEDix subscription. There are no separate per-transaction fees for these services.
Your subscription fee is charged on a recurring basis in accordance with the plan you select at enrollment. Payment is due at the time of enrollment and at each renewal period thereafter. Details regarding subscription plans, pricing, payment methods, and any applicable grace periods are provided during the enrollment process and are available in your account settings.
TeleMEDix does not charge any additional fees for exercising your rights under this Policy, including the right to access, export, or delete your Patient Data.
If our fee structure changes, we will provide you with advance notice before any new or increased fees take effect.
14. LAW ENFORCEMENT AND LEGAL DEMANDS
If we receive a court order, subpoena, search warrant, or other legal demand for your Patient Data, or if your Patient Data is disclosed to any law enforcement agency, we will notify you within three (3) business days of the demand or disclosure. Upon receiving such notice, you have the right to object to the production of your Patient Data or seek a protective order or other appropriate remedy consistent with applicable law.
Notification may be delayed or omitted only if prohibited by applicable law (for example, under certain provisions of the USA PATRIOT Act or a valid court order that specifically prohibits notification).
15. DATA BREACH NOTIFICATION
In the event of a security breach or data incident affecting your Patient Data, we will promptly notify you and provide the following information:
- What happened: A description of the incident, including the date it occurred and the date it was discovered.
- What data was affected: The types of information involved (e.g., name, date of birth, address, Social Security number, diagnosis, treatment information).
- What you should do: Steps you can take to protect yourself from potential harm.
- What we are doing: A description of our investigation, mitigation steps, and measures to prevent future incidents.
- How to contact us: A toll-free phone number ([to be provisioned]), email at privacy@telemedix.net, and www.telemedix.net for further questions.
We will also notify regulatory authorities and others consistent with requirements under applicable federal and state law. If we are already required by another law to send a breach notification for the same incident, we will not send a duplicate notice.
16. NOTE TO INTERNATIONAL USERS
TeleMEDix is based in the United States and the information we collect is governed by U.S. law. By providing us with your Personal Information and using our Services, you acknowledge that your Personal Information will be transferred to and processed in the United States.
We recognize that laws in other countries, including the European Economic Area (EEA), may differ from U.S. law. TeleMEDix is committed to complying with applicable data protection laws outside the United States that apply to our collection and use of your Personal Information.
If you are located in the United States, we have identified the following legal bases for processing your Personal Information: performance of a contract with you; our legitimate interests or those of others (security, operations, compliance); processing in the public interest; and where we have your consent, in accordance with applicable law.
If applicable, you may make a complaint to the data protection supervisory authority in the country where you reside.
17. CHILDREN’S PRIVACY RIGHTS
We are committed to protecting the privacy of children. Neither TeleMEDix nor any of its Services are designed for, intended to attract, or directed toward children under the age of thirteen. We do not knowingly process data of persons under the age of sixteen in the United States. If we become aware that a user is under the applicable age threshold and has provided personal information to us, we will take reasonable steps to remove all information provided by such user from our systems.
18. RETENTION OF YOUR INFORMATION
We keep your information for no longer than necessary for the purposes for which it is processed. The length of time for which we retain information depends on the purposes for which we collected and use it and/or as required to comply with applicable laws, regulatory requirements, and our contractual obligations.
When your information is no longer needed, we will securely delete or de-identify it in accordance with our data retention policies and applicable law.
19. THIRD-PARTY LINKS AND SERVICES
We provide links to third-party websites operated by organizations not affiliated with TeleMEDix. We do not disclose your Personal Information to organizations operating such linked third-party websites. TeleMEDix does not review or endorse, and is not responsible for, the privacy practices of these organizations. We encourage you to read the privacy statements of each website that you visit. This Policy applies solely to information collected by TeleMEDix through the Services.
20. CHANGES TO THIS POLICY
As we improve our Services over time, we may need to update this Policy to reflect new ways we may collect and use your information. When we update this Policy, we will post a new Effective Date at the top.
If we make material changes that would impact your use of the Services or your privacy, we will proactively notify you before the changes take effect, by email, push notification, or your preferred communication channel. Material changes will be clearly highlighted so that you can easily identify what has changed. In the case of material changes, we will obtain your consent again before the changes apply to your continued use of the Services.
Minor, non-material changes (such as formatting corrections or clarifications that do not change the substance of the Policy) may be made without advance notice.
21. HOW TO CONTACT US
Questions, comments, or complaints about this Privacy and Security Policy or our data handling practices can be directed to:
TeleMEDix, Inc.
Privacy Officer: Mark Shisshida
Security Officer: Daniel Manuputtij
260 Newport Center Drive, Suite 100 Newport Beach, CA 92660
Phone: (949) 584-2964
Email: privacy@telemedix.net
General Support: support@telemedix.net
We maintain a log of all privacy complaints received and document how each complaint is handled and resolved.
Our Toll-Free number for Individuals to ask questions or learn additional information related to the TEFCA and any IAS Privacy Incident is: (888) 338-8305
This Policy was prepared in compliance with the TEFCA Standard Operating Procedure: Individual Access Service (IAS) Provider Requirements, Version 2.1 (Effective March 17, 2026), published by The Sequoia Project, and the Kno2 Platform Connector Approval requirements.