Unblock Health

Privacy and Security Notice For Individual Access Services (IAS)

Most recently updated: August 24, 2025
Adopted: August 25, 2024

Purpose of Notice

Our purpose in providing this is to provide transparency about the privacy and security aspects of individual information of Individual Access Services (IAS) as may be necessary to inform potential IAS users of the terms of IAS. This IAS privacy and security notice should be read in conjunction with all other terms and information concerning IAS. In the event of any conflict between that information and this notice, this notice will control.

Where to Find the Current Notice and Future Updates

This Privacy and Security Notice for IAS is posted for public display at https://www.unblock.health/individual-access-services/. We may update this notice at any time. Updates will take effect on their posting dates. All updates will be posted at the web address. We also notify IAS users of material updates from time to time.

How We Approach Privacy and Security

IAS is a means for obtaining protected health care information from a nationwide network for the private and secure exchange of health care information.The nationwide network adopted security standards of Trusted Exchange Framework Common Agreement (TEFCA), and IAS is required to adhere to particular TEFCA standards.Only by our adherence to the standards are we permitted to provide access to health information on the network.

Under TEFCA principles, we do not assume consent is given on the basis of registration by an IAS user alone, and we send this notice to provide information that potential IAS users may want to consider in choosing whether to consent and use IAS or refuse to consent and not use IAS.We intend this notice to be a transparent mention of the factors a potential IAS may consider important. We welcome questions and requests from potential IAS users.

To obtain clarification or request more information, address our Privacy Department at privacy@unblock.health.

Individuals who are IAS users or potential IAS users should address complaints regarding the privacy policies described in this notice by email addressed to our Privacy Department at privacy@unblock.health.

Our user-facing IAS application will identify a department or an Individual to contact who can respond to questions or complaints.

We document each privacy-related complaint, our related communications and the disposition of each privacy complaint.

Why We Need and Request an Individual User’s Individually Identifying Information

For providing IAS, we need to request each IAS user’s individually identifiable information for purposes of establishing that the information request is authentically the IAS user’s request with the health care information network and participants in it. For IAS, we limit disclosure to the disclosure of encrypted information that can be compared with individual information held and believed authentic by a relevant TEFCA network participant.

Individual Information Is Never Sold

We do not sell or exchange the information an IAS user sends or receives with IAS. The IAS user’s individual information and health care information is encrypted (not readable) while in transit to or from us and at all times while at rest.

The IAS user is given the sole power to control who can receive and ultimately decrypt and read the information. Decryption occurs when the IAS user or a designate recipient of encrypted TEFCA information uses a means to unencrypt (in order to read) the information. The term TEFCA information ceases to apply to the decrypted information. If received by the IAS user, TEFCA does not impose any requirements or limitations on the information after the user obtains it. Health care organizations follow information privacy and security standards imposed by HIPAA and the HIPAA Privacy Rule, and they are subject also to TEFCA as to TEFCA information while it is TEFCA information (encrypted). Our obligations under this notice will continue for as long as the TEFCA information survives in accordance with section 10.6 of the Common Agreement.

No Claims Against IAS Users

Under TEFCA, we can never assert any sort of claim against an IAS user with respect to information sent, received or shared through the network of healthcare information (TEFCA information) even if we were able to access, exchange, use, or disclose it. Notwithstanding that system records may also refer to TEFCA information, we may use system records to calculate and claim usage fees or charges if necessary.

TEFCA Information may not be accessed, exchanged, used, and disclosed to third parties by us without the consent of the IAS user. We obtain that consent when an IAS user gives us instructions to share or receive TEFCA information.

We from time to time use service providers who do so on condition of accepting and performing the same obligations that we undertake to protect individually identifiable information and all TEFCA information.

Also, TEFCA information might be seen incidentally in audit logs, which we use only for the normal permitted purposes of audit logs.

Involuntary Disclosures May Occur

We cannot assure against all kinds of involuntary disclosure, such as third parties may seek to compel our disclosure of TEFCA information, and we may be required to do so unless we successfully oppose such efforts in each case.

To the extent that any person holds TEFCA Information, the person may receive legal demands, including subpoenas or court orders (“Legal Compulsion”) seeking disclosure of TEFCA information. Legal Compulsion may call for disclosure of any TEFCA information, which may include the information related to an IAS user’s reproductive health care, pregnancy, termination of pregnancy, or gender-affirming care, even if the IAS user paid for those health care services. See “Objecting to Compulsory Disclosure of TEFCA Information” below.

Cyber Threats

Third parties may seek to compromise the privacy and security of IAS unless our efforts, or efforts of the IAS user, succeed in preventing such legal outcome in each case.

Period of Time We Retain the TEFCA Information

We hold TEFCA information only from the time from receiving it until shortly after delivering as instructed by the relevant IAS users.

Once the requested exchange is complete, TEFCA Information (TI) is securely deleted or rendered inaccessible, except as required in the following limited cases:

  • Temporary Retention for Delivery Integrity: TI may be briefly retained in encrypted form to confirm successful transmission and troubleshoot delivery errors.
  • Audit Logs and Security Monitoring: TI may appear in system audit logs or monitoring records as required by the TEFCA Common Agreement. Such information is accessible only for audit, compliance, or security purposes and not for secondary use.
  • Legal or Regulatory Requirements: If law, regulation, or valid legal process requires retention, we may retain TI in encrypted form for as long as legally mandated.

No De-Identification

We will never de-identify electronic health care information of IAS users because de-identified data cannot serve any of the intended purposes of IAS.

Which Individually Identifiable Information Is Collected for IAS

Types of Data We May Collect:

We ask IAS users for proof of identity such as typically contained in birth certificates, official identification documents, and medical benefits cards.

Other Information We Request

We request IAS users to indicate a preferred email address and mailing address for receiving communications from us concerning IAS from time to time in our discretion.

We ask IAS users how they prefer to receive our electronic communications, which may change from time to time. Promptly after IAS users indicate a preference or change in preference, our future IAS communications to the IAS user will be attempted according to the latest preferences as indicated.

We ask IAS users to disclose an email address, first name and last name, one or more physical and mailing addresses, one or more phone numbers, and other information we may request in the reasonable exercise of our discretion. Some information is used for authenticating the IAS user’s identity across the health information network.

Authorized representatives of the individual are asked to disclose information concerning authority as well as identification for access control.

Our Automatic Data Collection

We automatically collect usage data, Internet Protocol (i.e. IP) addresses, browser type, browser version, time and date, elapsed time, unique device identifiers and other similar data from each device used by IAS users to access IAS.

Cookies

We deliver cookies from https://www.unblock.health/individual-access-services/ (a designated [sub]domain of our website) only for the purpose of providing IAS to IAS users.

To enjoy the features of IAS through a browser, the browser should be set to allow all cookies from our IAS https://app.unblock.health/. This includes both cookies that persist during a session and cookies that are persistent over several sessions. Without these cookies, beacons, tags, and scripts, IAS users may experience abnormally-functioning IAS features.

Individuals that do not allow our cookies must accept any associated risks. We retain the right to discontinue or limit user access as we deem necessary for quality assurance, privacy or security, all in our sole and absolute judgment.

With regard to IAS users' choices regarding cookies from other web sites or publicly accessible areas of our website domain, please visit our Cookies Policy in our publicly accessible website’s Privacy Policy at https://unblock.health/privacy-policy.

Disclosures through TEFCA

All disclosures we make through TEFCA are in accordance with the permitted and required uses and disclosures specified in the Common Agreement and applicable U.S. Department of Health and Human Services guidance.

TEFCA Applies in Addition to Any Applicable HIPAA Requirements

TEFCA requirements are in addition to all HIPAA requirements that may apply to the participants in TEFCA. We follow the HIPAA Privacy Rule.

Under our service agreements, we may agree to perform the obligations that HIPAA and the HIPAA Rules establish for a “business associate” of a “covered entity”.

Objecting to Compulsory Disclosure of TEFCA Information

Under certain circumstances, we may be legally required to disclose individually identifiable information in response to valid requests by public authorities (e.g., a court or a government agency).

Unless prohibited by applicable law, we will provide written notice to affected IAS users within three (3) business days after receiving notice of any such demand. IAS users may exercise any available rights under law or equity, such as to object to production or to obtain a protective order. Such efforts would be at the sole cost of such IAS user absent an agreement to the contrary.

Notice of Disclosure of TEFCA Information

We will provide written notice to affected IAS users within three (3) business days after making that IAS user’s individually identifiable information available to any law enforcement agency except if in that instance the law prohibits us from giving notice to the IAS user.

TEFCA Privacy and Security Standards

Under TEFCA, we are required to act in accordance with section 10 of the Common Agreement and accordingly protect the security of the information we hold in the manner described therein.

We devote commercially reasonable efforts to protecting individually identifiable information from any unauthorized or illegal access, modification, use, or destruction.

Encryption

Every bit of individually identifiable information we hold is encrypted when received, while in transit, and while at rest.

Notification of Security Incidents

As part of our constant commitment to privacy and security, we must notify IAS users in accordance with the Common Agreement if their information is affected by a security incident involving us.

We select service providers with great care We require third-party services to agree to the same standards and practices that we follow.

We limit access permissions to the minimum necessary for a permitted purpose.

We monitor our systems.

We cannot and do not permit service providers to decrypt TEFCA data

We enforce a requirement that all IAS users express written consent to the terms of this notice, as then in effect, prior to the IAS users access, exchange, use or disclosure of the IAS user’s TEFCA Information, except only disclosures that are required by law.

IAS users are advised to read and understand this notice because it describes the context and consequences of giving consent and using IAS.

We may be required to obtain an IAS user’s consent again if we make changes to this notice that materially changes our collection or use of individually identifiable information.

We may obtain IAS users' consent via electronic signatures as permitted in the E-Sign Act.

We maintain a secured, auditable log that is sufficient to validate and verify the consents.

Consent may be revoked by logging into IAS and using the “Opt-Out” option available in the account settings of the Unblock Health platform. Once an opt-out request is submitted, the IAS user’s access to IAS services will be discontinued.

Revocation of consent cannot affect any actions taken by us in reliance on the consent prior to the date of such revocation.

Subsequent to such revocation, the IAS user will no longer be able to login or access any IAS provided through us. IAS user must authenticate to establish a right of access each time access is requested.

IAS Users’ Rights

IAS users have rights to request to download or receive individually identifiable information we collected about them. These rights exclude the information retained in our audit logs.

Individual Access Service User Privacy Statement: Data Access and Download

Individual Access Service (IAS) respects your right to access and control your personal information. As an IAS verified user, you have the right to request a download of the individually identifiable information (PII) we have collected about you. This excludes information retained in our audit logs for security purposes.

Information We Collect:

The PII we collect may include:

  • Demographics information, such as
    • First name
    • Last name
    • Gender
    • Email address
    • Phone number
    • Address
    • Country and Zip code

Requesting Your Data:

To request a download of your PII, please follow these steps:

  1. Log in to your account.
  2. Navigate to the “Account Settings” section.
  3. Find the option for “Download IAS Verified Data”
  4. Follow the on-screen instructions to submit your request. You may be prompted to provide additional information for verification purposes.

Data Format and Delivery:

Once your request is verified, you will receive your IAS verified personal data in a common, human readable format, such as CSV or PDF. You will receive the data through your preferred method, which may include a secure download link.

Exclusions:

Information retained in our audit logs cannot be downloaded due to security and compliance requirements. This information is essential for maintaining system integrity and investigating potential security incidents and users’ behavior and activity in the platform.

IAS users have rights to request to delete their individually identifiable information except where prohibited by applicable law or the final order of any court and except for audit logs.

Individual Access Service (IAS) User Privacy Statement: Data Deletion Rights

This privacy statement outlines the rights of Individual Access Service (IAS) identified users regarding their individually identifiable information (PII) and the process for its deletion. We understand the importance of data privacy and are committed to respecting your rights.

Right to Request Deletion of Individual Access Service (IAS) identified data:

As an IAS identified user, you have the right to request the deletion of your personal identified data, except for audit logs, subject to certain exceptions outlined below.

Exceptions to Deletion:

We may be unable to process your deletion request if your PII is required to:

  • Comply with applicable laws or regulations.
  • Fulfill the final order of any court.

Data Deletion Process:

To request a download of your PII, please follow these steps:

  1. Log in to your account.

  2. Navigate to the “Account Settings” section.

  3. Find the option for “Delete or Opt-Out IAS Verified Data”

  4. Follow the on-screen instructions to submit your request. You may be prompted to provide additional information for verification purposes.

Upon receiving your deletion request, we will take the following steps:

  1. Identify your PII: We will use the information you provided in your request to locate your PII within our systems.
  2. Review for exceptions: We will assess whether any exceptions apply to your request, as outlined above.
  3. Delete your PII: If deletion is approved, we will securely erase your PII from our systems using industry-standard practices.
  4. Confirmation: We will send you a confirmation email once your PII has been deleted.

Please note:

  • Deletion of your PII may impact your ability to access certain features or functionalities of the IAS.
  • Deleted data cannot be recovered.

We are committed to protecting your privacy and ensuring the security of your PII. If you have any questions about this privacy statement or our data deletion practices, please do not hesitate to contact us.

IAS users can exercise their rights by the means described under this section and through our IAS user-facing application. We are committed to implementing IAS users' choices within a reasonable time.

We are not aware of any law prohibiting us from honoring a request to download the individually identifiable information we may hold for purposes of IAS, although this will include the information we hold at that time and cannot include the TEFCA information. After we gather and deliver TEFCA information, we do not retain it except as may be incidentally included in encrypted audit logs or as required by law. Such information is never used for any other purpose and is protected in compliance with TEFCA and HIPAA Security Rule standards.

We are not aware of any law prohibiting us from honoring a request to delete the individually identifiable information we hold. We do not retain, and therefore deleted any TEFCA information we held already, and information elsewhere in the TEFCA network is outside our control.

We Charge No Fees for IAS

At this time, Unblock Health will not charge IAS users, patients, any fees to use IAS. IAS users are free to exercise every right described in this notice at no charge to do so.

Mandatory Electronic Communications and IAS Users' Incidental Costs

IAS users need their own devices, browsers and internet connections to communicate electronically with IAS. We shall not provide IAS services to an individual unless the individual consents to electronic communication with us concerning the IAS transactions. We shall have no further obligation to provide IAS to an individual whose consent to electronic communications is revoked or invalid for any reason. Unless we expressly agree otherwise, IAS users are responsible for all costs and expenses to provide their own secure devices and internet connections.

Effective Date

This notice and each update of this notice becomes effective on its posting date. The current notice took effect on August 25, 2025. The notice shall remain in effect until we change it. An update takes effect at the beginning of the day we post the update. The notice as updated applies for all purposes to information we shall then hold, and the notice as previously in effect shall remain applicable as to all previous times.

Our Rights to Update this Notice

From time to time, we may change or update the terms of this notice in whole or part in our discretion. We post this notice as updated and then currently in effect at https://www.unblock.health/individual-access-services/. Check this website for updates of this notice. The date of posting of the update will appear near the top of the notice and immediately below its title. Any material updates to this notice will be electronically distributed to actively enrolled users based on their individual electronic communications preference. Updates that are inapplicable or immaterial in our judgment are simply posted to our public website.

If we include links to other websites (not IAS) that are not described in this notice. Each site will have its own policies that are outside our control.