Privacy and Security Notice for TEFCA Individual Access Services (IAS)
1. Effective Date and Scope
Effective Date: March 18th, 2026.
This Privacy and Security Notice explains how SEQSTER PDM, Inc. (“SEQSTER,” “we,” “us,” or “our”) handles your personal health information. We collect, store, protect, and share this information. We do this as part of all services we offer — especially Individual Access Services (“IAS”). You can access IAS through our website, patient-facing apps, and other user-facing tools.
This Notice covers everything SEQSTER does with your information, including IAS. We designed it to be public, up to date, and available to you before you use any of our services. We will post this Notice on every website and app where we offer or describe our IAS. We will publish any updates no later than the date those changes take effect.
2. Material Changes to This Notice
When SEQSTER makes a material change to this Notice, we will update the effective date. We will also mark what changed in a format that is easy to understand. We will post all material changes on our website and user-facing apps. If you are already enrolled in IAS, we will send you the updated version based on your contact preferences.
| Version / date | Summary of material changes |
| March 18, 2026 | Initial publication. Establishes SEQSTER’s privacy and security practices for TEFCA Individual Access Services (IAS) |
3. Plain-Language Notice and How to Contact Us
SEQSTER wrote this Notice in plain language so it is easy to read, including on mobile devices. If you have questions or want to file a privacy complaint, please contact us using the information below.
| privacy@seqster.com | |
| Phone | +1-850-888-3282 |
We keep a record of all privacy complaints, our responses, and how each complaint was resolved.
4. SEQSTER’s IAS Service Model
REQUEST-ONLY IAS PROVIDER: SEQSTER DOES NOT PROVIDE BIDIRECTIONAL SERVICES. YOU WILL HAVE THE ABILITY TO REQUEST ACCESS TO YOUR HEALTH INFORMATION VIA TEFCA EXCHANGE. YOU WILL NOT BE ABLE TO USE SEQSTER TO SHARE YOUR HEALTH INFORMATION WITH OTHER PARTICIPANTS IN TEFCA.
5. HIPAA Status
SEQSTER is subject to the Health Insurance Portability and Accountability Act and its implementing regulations (the “HIPAA Rules”) as a matter of law with respect to the IAS services described in this Notice.
6. Information We Collect or Receive
As part of IAS, we may collect, store, or process these types of information:
-
Identifiers and account details, such as your name, email address, date of birth, phone number, and login credentials.
-
Health and personal information that you upload to SEQSTER. This includes records you ask us to retrieve or access from healthcare providers, health plans, or other connected sources.
-
Technical and usage information, such as your device, browser type, IP address, and system logs. We also collect internet activity and timestamps. We use this for service operation, fraud prevention, security, and support.
-
Communications and support information, including requests, helpdesk messages, and complaints you send to us.
This Notice or the law may need us to get your consent first. In those cases, we will get your clear, documented, and informed consent before we access or share your personal health information for IAS. The only exception is when the law requires us to share it without consent.
7. How SEQSTER Uses Personally Identifiable Information
We use your Personally Identifiable Information (“PII”) only for the purposes described in this Notice. We follow all applicable laws and the rules that apply to IAS. We may use your PII to:
- Run, maintain, secure, and improve our IAS website, patient portal, and apps.
- Access, retrieve, and present your health information when you ask us to.
- Respond to your requests, provide customer support, and fix account or connection issues.
- Protect against unauthorized access, fraud, and other threats to our systems and data.
- Meet our legal, regulatory, contractual, and security obligations.
We will not use or share your PII to make any claim against you.
8. Sale, Marketing, and Consent to Sale
We will not sell your PII, accept payment for your PII, or use your PII for targeted advertising or marketing. The only exception is if you give us your prior, express, and documented Consent to Sale. We will label any Consent to Sale and keep it separate from your consent to this Notice.
Any marketing we send about our products or services will not give us the right to use your PII in a way that conflicts with this Notice or the law.
9. Disclosures and Access by Third Parties
We share your PII only as described in this Notice, when you ask us to, or when the law or a contract requires it. We may share your PII with:
- Service providers and contractors. We may share information with vendors or contractors that help us with hosting, security, customer support, analytics, or other operations.
- Connected data sources. When you ask us to, we may retrieve information from healthcare providers, health systems, health plans, or other connected sources and show it to you through IAS.
- Business transfers. If we enter a merger, acquisition, bankruptcy, or asset sale, we may share information as part of that process, subject to the law and this Notice.
- Legal and safety disclosures. We may share information to meet a legal obligation, respond to a legal demand, handle an emergency, or protect rights, property, or safety.
When we share your PII with third parties who act on our behalf, we require them to follow appropriate privacy, security, and incident-response standards.
Some uses or disclosures may happen outside our control, such as through legal process, regulatory requirements, or business transfers. We describe those situations in this Notice so you know when your information may move beyond SEQSTER.
We make all TEFCA disclosures in line with the Common Agreement and U.S. Department of Health and Human Services guidance.
10. De-Identified Information
When the law allows it, we may remove your personal details from your PII. This creates de-identified information. We take steps to make sure no one can link it back to you. We may use or share this information for lawful purposes. These include service improvement, analytics, research, security monitoring, and reporting.
If we change how we create, use, or share de-identified information, we will update this Notice. If the change affects your rights under this Notice, we will also get your consent before we make it.
11. Retention
We keep your PII and health information for as long as we need it to provide our services and meet the purposes in this Notice. We keep it for at least six (6) years when HIPAA or other laws require it. If the law requires a longer period, we follow that instead.
We maintain a detailed internal retention schedule. It covers:
- How long we keep IAS account information and retrieved records.
- How long we keep backup copies before we overwrite or delete them.
- Which types of information we keep longer for legal, audit, fraud-prevention, or security purposes.
- Which data, such as audit logs, we must keep even after we delete other data because the law requires it.
When you close your account or ask us to delete your information, we will remove it from future use to the extent the law allows.
12. Your Rights and Choices
You have the following rights over how we collect, use, delete, access, export, and share your PII through IAS. We will act on your choices within a reasonable time. If the law prevents us from honoring a request, we will let you know.
- Right to delete. You may ask us to delete all PII we hold in connection with IAS. We will do this to the extent the law allows, for all future uses and sharing. This right does not apply to audit logs.
- Right to access. You may view your PII through the patient portal or another access method we provide.
- Right to export. You may download your PII in a machine-readable format. We will include instructions to help you read and use that format.
- Right to incident notice. We will notify you if your PII has been or we believe it may have been affected by a security incident.
- Right to limit or direct disclosures. Before you use IAS for the first time, we will show you this Notice and ask for your consent. We only retrieve your PII through TEFCA when you ask us to. We do not share your PII in response to requests from other TEFCA participants. We will honor the choice you make.
13. Consent to This Notice
Before SEQSTER access, exchange, use, or share your PII for IAS, we will get your clear, documented, and informed consent to this Notice. The only exception is when the law requires us to share your information without consent.
- We will show you this Notice before your first use of IAS so you understand what you are agreeing to.
- If we use your information in a new way that differs from this Notice, we will get your consent again before we do so.
- We may collect your consent through an electronic signature, an in-app confirmation, or a paper signature, as the law allows.
- We keep all consent records in a secure, auditable log so we can confirm the consent you gave.
14. How to Revoke Consent
You may revoke your consent at any time through our app. We provide step-by-step instructions within the app.
| 1 | Log in to your SEQSTER account at your SEQSTER portal. |
| 2 | Go to Profile > Privacy & Consent. |
| 3 | Locate the “TEFCA health records access” row and click “Revoke.” |
| 4 | Review the revocation notice explaining that TEFCA record retrieval will stop immediately. Click “Revoke consent” to confirm your request electronically. |
| 5 | Need help? Contact SEQSTER at privacy@seqster.com or +1-850-888-3282. |
Revoking your consent will not affect anything we did before the date you revoked it. After that date, you will not be able to use IAS unless you give new consent.
15. Security Practices
We follow this Notice and protect your information in line with the applicable Framework Agreement.
- We work to protect your PII from unauthorized access, changes, misuse, or destruction.
- We encrypt all PII both in transit and at rest, whether or not HIPAA requires it.
- We limit access to your PII to staff, contractors, and service providers who need it to do their job and who agree to keep it confidential.
- We use administrative, technical, and physical safeguards to protect your data. These may include access controls, login verification, logging, monitoring, separate data environments, vulnerability management, and incident response.
- Our duty to protect your PII lasts as long as we hold it.
16. Incidents and Breach Notice
If we find out that your PII has been or may have been affected by a security incident or data breach, we will notify you as the law and HIPAA require. Where we can, that notice will include:
- A brief description of what happened, including the date of the incident and the date we found out, if known.
- The type or types of information involved.
- Steps you can take to protect yourself from harm.
- What we are doing to investigate, limit the damage, and prevent it from happening again.
- How to contact us with questions, including a phone number, email address, and website contact form.
17. Legal Process and Law Enforcement Notice
Unless the law prohibits it, we will notify you within three business days if we receive a subpoena, court order, search warrant, or other legal demand for your PII. Where permitted, we will explain that you may object to the release of your information or seek a protective order or other legal remedy.
Unless the law prohibits it, we will also notify you within three business days if we share your PII with law enforcement.
18. Fees
We do not charge any fees for IAS or for using the rights described in this Notice.
If we add any IAS-related fee in the future, we will update this Notice before the fee takes effect. The update will show which services have a fee, when we charge it, how to pay it, any grace period, and the current amount.
19. Questions, Complaints, and Further Information
If you have questions about this Notice or want to file a privacy complaint, please contact us using the details in Section 3. We keep a record of all privacy complaints, our responses, and how we resolved each one.



