Privacy and Security Notice
Effective Date: March 23, 2026
Introduction
Trove Health is committed to protecting your health information. This Privacy and Security Notice describes how we collect, use, disclose, and safeguard individually identifiable information in connection with our Individual Access Services (IAS). We adhere to the requirements of HIPAA, TEFCA, and all applicable federal and state laws. Trove Health operates as a Request-Only IAS Provider under TEFCA, meaning users can request health data but Trove Health does not share information bidirectionally through its platform.
Definitions
Key terms used in this notice include: "Individually Identifiable Information" refers to any information that can identify a specific individual, including health records and demographic data. "IAS Provider" means an Individual Access Services Provider under TEFCA. "TEFCA Exchange" refers to data exchange conducted under the Trusted Exchange Framework and Common Agreement. "Material Change" means a significant modification to these practices. "IAS Incident" means a security incident affecting individually identifiable information. "Applicable Law" includes HIPAA, TEFCA, and relevant federal and state regulations. "Framework Agreement" refers to the TEFCA Common Agreement.
Scope of This Notice
This notice applies to all Individual Access Services provided by Trove Health. It describes how we handle identifiable health data across our services and TEFCA exchanges. This notice is publicly available and written in plain language in accordance with Federal Plain Language Guidelines.
How We Collect Information
We collect information from the following sources: directly from individuals when they create accounts or submit requests; from healthcare providers and health information networks through TEFCA-aligned exchanges; and from authorized third parties acting on behalf of individuals. The types of information collected include names, contact details, health records, claims data, and other individually identifiable information necessary to provide our services.
How We Use Information
We use your information to: provide and operate our Individual Access Services; facilitate TEFCA exchange access for patient-authorized data retrieval; communicate with you about your account, including via SMS with your consent; comply with legal and regulatory requirements; protect against security threats and unauthorized access; and respond to regulatory inquiries and audits. We will not use your information to assert claims against you, except as necessary for the collection of fees for services provided.
No Sale of Information Attestation
Trove Health explicitly attests that it will not sell individually identifiable information, receive compensation in exchange for such data, or use it for targeted advertising, marketing, or any commercial purposes unrelated to Individual Access Services. Any future changes to this attestation will require prior notice and documented consent from affected individuals.
How We Share Information
We may share your information with: you, the individual, directly; healthcare providers participating in TEFCA exchanges; third-party service providers who assist in delivering our services (including cloud infrastructure providers, identity verification services, and communication platforms); law enforcement agencies when required by law; and other parties as permitted by applicable law. All recipients are bound by contractual obligations to protect your information.
De-Identification of Information
Trove Health may de-identify information in accordance with applicable law and TEFCA guidance. De-identified information may be used to support analytics, research, product improvement, and public health purposes. We implement safeguards to prevent re-identification of de-identified data.
TEFCA Disclosures
All data exchanges conducted through TEFCA comply strictly with the Common Agreement and HHS guidance regarding permitted uses and disclosures. We adhere to all requirements specified in the IAS Provider Requirements SOP.
HIPAA Status
Trove Health is subject to the HIPAA Rules when performing Individual Access Services as a Business Associate of Covered Entities. We adhere to all applicable requirements of the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule.
Legal and Law-Enforcement Disclosures
When we receive subpoenas, court orders, search warrants, or other compulsory disclosure demands, Trove Health will provide written notice to affected individuals within three (3) business days, unless prohibited by law. This notice allows affected individuals the opportunity to object or seek protective orders before disclosure occurs.
Sensitive Information
Enhanced protections apply to sensitive categories of health information, including reproductive health data and gender-affirming care data. Any required disclosures of sensitive information comply with applicable law, and individuals are notified when legally permitted.
Security Measures and Conformance
Trove Health implements commercially reasonable protections for your information. We encrypt all data in transit and at rest, maintain SOC 2 Type II certification and HITRUST e1 assessment, enforce role-based access controls, and maintain comprehensive incident response procedures. In the event of a data breach, we will notify affected individuals as required by law, providing details on the nature of the incident, the types of information affected, the steps taken to protect individuals, and the actions being taken to prevent future incidents.
Third-Party Service Provider Practices
All third-party service providers engaged by Trove Health must execute written agreements requiring: protection of information consistent with this notice and applicable law; implementation of appropriate administrative, technical, and physical safeguards; encryption of data in transit and at rest; limitation of use to contracted purposes only; prompt notification of any security incidents; and return or secure destruction of information upon termination of the service relationship.
Your Privacy Rights
As an individual, you have the right to: access your information through PatientChart or by written request; export your data in machine-readable formats including JSON FHIR, C-CDA XML, and CSV; request corrections to inaccurate information; request deletion of your information (with the exception of audit logs required for compliance); request restrictions on the use or disclosure of your information; and opt out of TEFCA exchange participation.
Consent
We obtain express, documented consent from individuals prior to accessing, exchanging, using, or disclosing their information, except where disclosure is required by applicable law. Any material changes to our practices will trigger new notification and consent processes.
How to Revoke Consent
To revoke your consent, send an email to privacy@trovehealth.io with the subject line "Revoke Consent." Include your full name and the mobile number registered to your account. Confirmation of receipt will be provided within two (2) business days, and processing will be completed within five (5) business days. Upon revocation, all data access will cease except where continued processing is required by applicable law.
Individual Choices
You may exercise the following choices regarding your information: decline to create an account; control your participation in TEFCA disclosures; revoke consent at any time; request access to, export of, correction of, or deletion of your data; opt out of non-essential communications; and manage cookie preferences through your browser settings.
Data Retention
Information is retained for three (3) years following your last platform activity, or longer if required by applicable law. After the retention period, data is securely deleted or de-identified, except as required by law or contained in audit logs necessary for compliance purposes.
Fees
Currently, no fees apply to Individual Access Services or the exercise of your privacy rights. If fees are introduced in the future, they will be disclosed in this notice before taking effect.
Material Changes to This Notice
Updates to this notice will be posted prominently at trovehealth.io/privacy-policy and communicated to enrolled individuals. All modifications will be clearly indicated, and the effective date will be displayed at the top of the document.
General Privacy Policy
Beyond the TEFCA-specific requirements above, our general privacy practices address: cookies and website tracking (controllable through browser settings); log data and analytics collection for performance monitoring and security; third-party provider relationships governed by contractual obligations; international data transfer safeguards; a strict prohibition on selling data for marketing purposes; children's privacy compliance; and user control mechanisms for managing personal data preferences.
Regulatory References
This notice is informed by and compliant with: HIPAA (Health Insurance Portability and Accountability Act); TEFCA (Trusted Exchange Framework and Common Agreement); IAS Provider Requirements SOP v2.0 (July 1, 2024); and Federal Plain Language Guidelines.
Language and Accessibility
Translated versions of this notice and accessible formats are available upon request. Please contact admin@trovehealth.io for assistance.
Contact the Privacy Office
Trove Health, Inc. (Delaware Corporation) Phone: +1 (415) 800-4442 Email: privacy@trovehealth.io For questions about this Privacy and Security Notice or to exercise your privacy rights, please contact us using the information above.