Individual Access Service Privacy and Security Notice
Previous Versions:
Effective Date: February 1, 2026
Unit 387’s (“Unit 387,” “we,” “us,” or “our”) Individual Access Service (“IAS”) platform provides individuals with a single point of access to all their health information, no matter where that information exists, on demand.
This Individual Access Service Privacy and Security Notice (“IAS Privacy and Security Notice”) describes how we may access, exchange, use, and disclose your individually identifiable information as an IAS Provider in connection with the Trusted Exchange Framework and Common Agreement (“TEFCA”), and your rights with respect to such individually identifiable information. Individual identifiable information is information that identifies you or with respect to which there is a reasonable basis to believe that the information could be used to identify you. Information that is de-identified is not individually identifiable information.
This IAS Privacy and Security Notice is intended to fulfill the requirements of the U.S. Department of Health and Human Services (“HHS”), Assistant Secretary for Technology Policy (“ASTP”) / Office of the National Coordinator for Health IT (“ONC”) and the Recognized Coordinating Entity (“RCE”) with respect to our participation in TEFCA as an IAS Provider. Please know that this Notice is limited to our TEFCA participation as an IAS Provider. Other notices and policies may apply to how your individually identifiable information is processed by us outside of TEFCA or if we are processing your individually identifiable information on behalf of your health care provider, health plan, or other third party who also participates in TEFCA.
This IAS Privacy and Security Notice supplements and is in addition to our Privacy Policy. To the extent this IAS Privacy and Security Notice conflicts with our general Privacy Policy, this IAS Privacy and Security Notice controls with respect to the individually identifiable information we collect about you through our TEFCA connection.
When you use one of our customers’ digital properties to create a personal health record, you may be introduced to Unit 387 as their secure data intermediary partner. In this role, we will retrieve your individually identifiable information from other sources on your behalf and transfer it to the customer’s digital property. As our customers’ service provider, our contractual obligations are not with you, but with our customer. Any information we collect, process, or transfer on your behalf is governed by their terms of service and privacy notices with you.
Unit 387’s obligations under this ISA Privacy and Security Notice will continue for as long as we maintain individually identifiable information.
We may collect the following types of individually identifiable information: