Privacy and Security Notice for TEFCA Individual Access Services (IAS)
1. Effective Date and Scope
Effective Date: March 18th, 2026.
This Privacy and Security Notice explains how SEQSTER PDM, Inc. (“SEQSTER,” “we,” “us,” or “our”) collects, accesses, uses, maintains, protects, and discloses Individually Identifiable Information in connection with all services including Individual Access Services (“IAS”) that SEQSTER offers through its website, patient-facing applications, and related user-facing services.
This Notice applies to all of SEQSTER’s processing activities including IAS processing and is intended to be publicly available, current, and provided to individuals before they use or receive services from SEQSTER. SEQSTER will conspicuously post this Notice on the websites and user-facing applications through which SEQSTER offers or describes its Individual Access Services and will post updated versions no later than the effective date of any change.
2. Material Changes to This Notice
When SEQSTER makes a material change to this Notice, SEQSTER will update the effective date and will conspicuously identify the material changes in a format designed to help individuals readily understand what changed. Material changes will be posted on SEQSTER’s website and user-facing applications, and SEQSTER will make reasonable efforts to provide updated versions to individuals already enrolled in IAS in accordance with their communicated preferences.
| Version / date | Summary of material changes |
| [Insert date] | [Insert summary of material changes for publication version] |
3. Plain-Language Notice and How to Contact Us
SEQSTER intends this Notice to be written in plain language and presented in a readable format, including on smaller screens such as mobile devices. If you have questions about this Notice or want to raise a privacy-related complaint, please contact SEQSTER using the contact information below.
| privacy@seqster.com | |
| Phone | +1-850-888-3282 |
SEQSTER maintains a process for documenting privacy-related complaints, SEQSTER’s response to those complaints, and the final disposition of each complaint.
4. SEQSTER’s IAS Service Model
REQUEST-ONLY IAS PROVIDER: SEQSTER DOES NOT PROVIDE BIDIRECTIONAL SERVICES. YOU WILL HAVE THE ABILITY TO REQUEST ACCESS TO YOUR HEALTH INFORMATION VIA TEFCA EXCHANGE. YOU WILL NOT BE ABLE TO USE SEQSTER TO SHARE YOUR HEALTH INFORMATION WITH OTHER PARTICIPANTS IN TEFCA.
5. HIPAA Status
SEQSTER is subject to the Health Insurance Portability and Accountability Act and its implementing regulations (the “HIPAA Rules”) as a matter of law with respect to the IAS services described in this Notice.
6. Information We Collect or Receive
In connection with IAS, SEQSTER may collect, receive, maintain, or process the following categories of information:
- Identifiers and account details, such as your name, email address, date of birth, telephone number, and account credentials or authentication information.
- Health-related information and other Individually Identifiable Information that you upload to SEQSTER, direct SEQSTER to retrieve, or authorize SEQSTER to access from healthcare providers, health plans, or other connected sources.
- Technical and usage information, such as device information, browser type, IP address, internet activity, timestamps, and account or system logs used for service operation, fraud prevention, security, debugging, and support.
- Communications and support information, including requests, feedback, help-desk messages, and complaint information that you send to SEQSTER.
Where required by law or this Notice, SEQSTER will obtain your express, documented, and informed consent before accessing, exchanging, using, or disclosing your Individually Identifiable Information for IAS, except for disclosures required by applicable law.
7. How SEQSTER Uses Individually Identifiable Information
SEQSTER uses Individually Identifiable Information only for the purposes described in this Notice, subject to applicable law and the permissions and restrictions applicable to IAS. SEQSTER may use your information to:
- Provide, operate, maintain, secure, and improve SEQSTER’s IAS-related website, patient portal, and applications.
- Access, retrieve, receive, organize, and present your health information at your direction.
- Respond to your requests, provide customer support, troubleshoot account or connection issues, and maintain service functionality.
- Protect against unauthorized access, fraud, misuse, or other threats to the confidentiality, integrity, or availability of SEQSTER systems and data.
- Comply with applicable legal, regulatory, contractual, audit, and security obligations.
SEQSTER will not access, exchange, use, or disclose your Individually Identifiable Information to assert any claim against you, except as necessary to collect any applicable fees disclosed in this Notice. At the time of this draft, SEQSTER does not charge fees for privacy requests.
8. Sale, Marketing, and Consent to Sale
SEQSTER will not sell Individually Identifiable Information, receive remuneration in exchange for Individually Identifiable Information, or use Individually Identifiable Information for targeted advertising or other marketing purposes unless SEQSTER first obtains the individual’s prior, express, and documented Consent to Sale. Any Consent to Sale will be conspicuously labeled as such and separate from the individual’s consent to this Privacy and Security Notice.
Marketing communications about SEQSTER products or services, if any, will not authorize SEQSTER to use Individually Identifiable Information for targeted advertising or other marketing purposes in a manner inconsistent with this Notice or applicable law.
9. Disclosures and Access by Third Parties
SEQSTER may disclose or provide access to Individually Identifiable Information only as described in this Notice, at your direction, as required by applicable law, or as otherwise permitted under applicable contractual and legal requirements.
- Service providers and contractors. SEQSTER may share information with vendors, contractors, or other service providers that support hosting, infrastructure, security, customer support, communications, analytics, or similar operational functions on SEQSTER’s behalf.
- Connected data sources. At your direction, SEQSTER may receive information from healthcare providers, health systems, health plans, or other connected third-party sources and may present that information to you through SEQSTER’s IAS services.
- Business transfers. If SEQSTER is involved in a merger, acquisition, financing, reorganization, bankruptcy, sale of company assets, or similar transaction, information may be disclosed as part of that transaction, subject to applicable law and this Notice.
- Legal and safety disclosures. SEQSTER may disclose information to comply with a legal obligation, respond to compulsory process, address emergencies, protect rights, property, or safety, or otherwise comply with applicable law.
When SEQSTER discloses or provides access to Individually Identifiable Information to third parties acting on SEQSTER’s behalf, SEQSTER requires privacy, security, confidentiality, access-control, and incident-response measures appropriate to the services those third parties provide.
Some downstream uses or disclosures may occur outside SEQSTER’s direct control, including in connection with legal process, regulatory requirements, or business transfer events. SEQSTER will describe those categories of recipient entities and uses in this Notice so that individuals can understand the circumstances in which their information may move beyond SEQSTER.
All disclosures through TEFCA are made in accordance with the permitted and required uses and disclosures specified in the Common Agreement and applicable U.S. Department of Health and Human Services guidance.
10. De-Identified Information
SEQSTER may de-identify information derived from Individually Identifiable Information where permitted by applicable law and this Notice. If SEQSTER de-identifies information, SEQSTER will use reasonable measures designed to remove identifying elements or otherwise reduce the likelihood that the information can be used to identify an individual. SEQSTER may use or disclose de-identified information for lawful purposes, including service improvement, analytics, research, security monitoring, and operational reporting.
If SEQSTER materially changes how de-identified information is created, used, or disclosed in a way that would affect individual expectations under this Notice, SEQSTER will update this Notice and obtain any required consent before the materially different use.
11. Retention
SEQSTER retains individual identifiable information and health information for as long as needed to provide our services and fulfill the purposes described in this Notice, and for at least six (6) years where retention is necessary to comply with HIPAA documentation obligations and other legal, regulatory, audit, dispute-resolution, or enforcement requirements, unless a longer period is required by applicable law.
SEQSTER maintains a more detailed internal retention schedule that identifies:
- the standard retention period for IAS-related account information and retrieved records;
- how long backup copies may persist before they are automatically overwritten or deleted;
- which categories of information may be retained longer for legal, audit, fraud-prevention, or security purposes; and
- which data elements, such as audit logs, may be retained even when other data are deleted because deletion is not technically feasible or is prohibited by applicable law.
Upon account deactivation or a valid deletion request, SEQSTER will remove or delete the information for future uses and disclosures to the extent technically feasible and not prohibited by applicable law, subject to the limitations described in this Notice.
12. Your Rights and Choices
SEQSTER describes below the choices and rights that individuals have regarding the collection, use, deletion, access, export, and disclosure of their Individually Identifiable Information in connection with IAS. SEQSTER will implement those choices within a reasonable time period and, if SEQSTER is reasonably aware that applicable law would prohibit honoring a request, SEQSTER will inform the individual.
- Right to delete. You may require SEQSTER to delete all Individually Identifiable Information maintained by SEQSTER in connection with IAS, to the extent technically feasible, with respect to future uses or disclosures, unless deletion is prohibited by applicable law. This deletion right does not apply to information contained in audit logs.
- Right to access. You may access the Individually Identifiable Information maintained by SEQSTER in connection with IAS through the patient portal or another designated access method made available by SEQSTER.
- Right to export. You may obtain an export of your Individually Identifiable Information in a machine-readable format, together with the means to interpret that format, such as a legend, field description, or similar explanation where appropriate.
- Right to incident notice. You may be notified if your Individually Identifiable Information has been or is reasonably believed to have been affected by an IAS Incident.
- Right to limit or direct disclosures where offered. Before your first use of IAS, SEQSTER will present you with this Notice for your explicit consent regarding whether SEQSTER may retrieve your Individually Identifiable Information via TEFCA Exchange on your behalf. SEQSTER is a Request-Only IAS Provider and does not disclose your Individually Identifiable Information in response to inbound requests from other TEFCA participants. SEQSTER will maintain processes to honor the choice you make.
13. Consent to This Notice
Before SEQSTER accesses, exchanges, uses, or discloses your Individually Identifiable Information for IAS, except for disclosures required by applicable law, SEQSTER will obtain your express, documented, and informed consent to the terms of this Privacy and Security Notice.
- SEQSTER will present the Notice in sufficient context for you to understand the consequences of your choices at the outset of your first use of IAS.
- SEQSTER will obtain renewed express, documented, and informed consent before using your information in a materially different manner than described in the version of the Notice in effect when the information was collected or otherwise obtained, where such renewed consent is required.
- SEQSTER may collect or capture consent through an electronic signature, in-application acknowledgement, or paper signature, as permitted by applicable law.
- SEQSTER will maintain consent records in a secure, auditable log sufficient to validate and verify the consent provided.
14. How to Revoke Consent
You may revoke your consent to this Notice through a method that is not burdensome and that includes at least an electronic means to revoke consent within SEQSTER’s user-facing application(s). SEQSTER will provide step-by-step revocation instructions in a stand-alone, conspicuous format on the website and within the application.
| 1 | Log in to your SEQSTER account at your SEQSTER portal. |
| 2 | Go to Profile > Privacy & Consent. |
| 3 | Locate the “TEFCA health records access” row and click “Revoke.” |
| 4 | Review the revocation notice explaining that TEFCA record retrieval will stop immediately. Click “Revoke consent” to confirm your request electronically. |
| 5 | Need help? Contact SEQSTER at privacy@seqster.com or +1-850-888-3282. |
Revocation will not affect any actions SEQSTER took in reliance on your consent before the date of revocation. After the effective date of revocation, you will no longer be able to access SEQSTER’s IAS services unless and until you provide any new consent required for access.
15. Security Practices
SEQSTER will act in conformance with this Privacy and Security Notice and will protect the security of the information it maintains in accordance with the applicable Framework Agreement.
- SEQSTER uses commercially reasonable efforts to protect Individually Identifiable Information from unauthorized or illegal access, modification, use, or destruction.
- SEQSTER encrypts all Individually Identifiable Information held by SEQSTER, both in transit and at rest, regardless of whether such data are in scope for HIPAA.
- SEQSTER restricts access to Individually Identifiable Information to workforce members, contractors, and service providers with a legitimate business need and subject to appropriate confidentiality and security obligations.
- SEQSTER uses administrative, technical, and physical safeguards appropriate to the nature of the data and the services provided, which may include access controls, authentication measures, logging, monitoring, separation of data environments, vulnerability management, and incident management procedures.
- SEQSTER’s obligations under this Notice continue for as long as SEQSTER maintains your Individually Identifiable Information.
16. Incidents and Breach Notice
If SEQSTER becomes aware that your Individually Identifiable Information has been or is reasonably believed to have been affected by a security incident or data breach, SEQSTER will provide notice to you to the extent required by applicable law and applicable HIPAA requirements. To the extent possible, that notice will include:
- a brief description of what happened, including the date of the incident and the date of discovery, if known;
- a description of the type or types of information involved;
- steps you should take to protect yourself from potential harm;
- a brief description of what SEQSTER is doing to investigate the incident, mitigate harm, and protect against further incidents; and
- contact procedures for you to ask questions or obtain more information, including a toll-free or direct telephone number, email address, and website contact information or contact form.
17. Legal Process and Law Enforcement Notice
Unless prohibited by applicable law, SEQSTER will provide written or electronic notice to affected individuals within three business days after SEQSTER receives a civil or criminal subpoena, court order, search warrant, or other demand for compulsory disclosure of Individually Identifiable Information. Where permitted, the notice will explain that the affected individual may object to the production of the information or seek a protective order or other appropriate remedy consistent with applicable law.
Unless prohibited by applicable law, SEQSTER will also provide written or electronic notice to affected individuals within three business days after SEQSTER makes Individually Identifiable Information available to law enforcement agencies.
18. Fees
SEQSTER currently does not charge any fees or costs related to IAS or the exercise of the individual rights described in this Notice.
If SEQSTER later introduces any IAS-related fee, SEQSTER will update this Notice before the fee becomes effective. Any such update will identify which services trigger the fee, when the fee is charged, how the fee must be paid, any available grace period, and the then-current amount.
19. Questions, Complaints, and Further Information
If you have questions about this Notice, want more information about SEQSTER’s privacy and security practices, or would like to submit a privacy-related complaint, please contact SEQSTER using the contact details provided in Section 3. SEQSTER will document privacy-related complaints, its response, and the final disposition of each complaint.
