At Trove Health, we believe your health information belongs to you. We are committed to maintaining your trust and protecting your privacy through strict adherence to HIPAA, TEFCA, and other applicable laws. This document combines our Privacy and Security Notice and our general Privacy Policy to explain how we handle your information, your rights as an individual, and the measures we take to protect your data.

For clarity, the following terms are used in this Notice:
‍
‍Individually Identifiable Information (III): Information that can be used to identify you, including health information.
‍IAS Provider: An organization (like Trove Health) that offers Individual Access Services.
‍TEFCA Exchange: The Trusted Exchange Framework and Common Agreement, which enables the secure exchange of health data.
‍Material Change: A change to this Notice that significantly affects how your data is used or shared.

This Notice applies to all Individual Access Services (IAS) offered by Trove Health. It explains how we handle Individually Identifiable Information (III) that we collect, access, exchange, use, or disclose in connection with providing our services, including through the TEFCA exchange. This Notice is publicly available, kept current, updated when materially changed, and written in plain language for clarity.

We may collect information directly from you, your healthcare providers, health information networks, and other authorized third parties. This includes name, contact information, health records, claims data, and information entered in our application or received through the TEFCA exchange.

We use your information to provide, operate, and maintain our services; enable secure access to your health information via TEFCA; communicate with you (including SMS with consent); comply with legal obligations; and protect against unauthorized access or disclosure. We will not use your information to assert claims against you except for fees.

We may share your information with healthcare providers, trusted service providers, law enforcement when required, and directly with you upon request. We do not sell, rent, or trade your information. If we ever intend to sell or use your data for marketing, we will obtain explicit, documented consent.

Trove Health may de-identify Individually Identifiable Information (III) in accordance with applicable law and TEFCA guidance. De-identified data no longer contains information that can be used to identify you. Trove Health may use or disclose such de-identified data for analytics, research, product improvement, or public-health purposes, provided that the information cannot be used to re-identify you.

Trove Health participates in TEFCA to enable the secure exchange of health information. All Uses and Disclosures of Individually Identifiable Information through TEFCA are performed strictly in accordance with the permitted and required Uses and Disclosures defined in the TEFCA Common Agreement and applicable guidance issued by the U.S. Department of Health and Human Services (HHS). If required by subpoena or other legal process, we may disclose information and will notify you within three (3) business days where permitted.

If Trove Health receives a civil or criminal subpoena, court order, search warrant, or other compulsory demand for disclosure of Individually Identifiable Information, we will—unless prohibited by law—provide written or electronic notice to the affected individual(s) within three (3) business days of receipt. This notice allows individuals to object, seek a protective order, or pursue other remedies permitted by law.Similarly, if Trove Health makes Individually Identifiable Information available to any law-enforcement agency (including through sale of such data), we will—unless prohibited by law—notify the affected individual(s) within three (3) business days of doing so.

We follow additional protections for reproductive health and gender-affirming care data. If legally required to disclose, we comply with applicable law and notify you when allowed.

We use commercially reasonable security measures, including encryption of data at rest and in transit, secure access controls, SOC 2 Type II certified infrastructure, and incident response procedures. If your data is impacted by a TEFCA Security Incident or breach, we will notify you promptly.Trove Health is required to act in full conformance with this Privacy and Security Notice and to protect the security of the information it holds in accordance with the TEFCA Framework Agreement and applicable IAS Provider obligations.

You have the right to access, export, correct, delete, and restrict use of your data; opt out of TEFCA exchange; and revoke consent at any time. To exercise these rights, you may contact us at admin@trovehealth.io or use in-app features (if available). We will respond within 30 days as required by law.

We obtain your explicit consent before accessing, exchanging, using, or disclosing your information. If practices change materially, we will notify you and obtain new consent if required. You may revoke consent electronically at any time, which may limit or end your use of our services.

Trove Health does not currently charge fees for exercising privacy rights. Any future fees will be clearly disclosed here.

Material changes will be posted on our website, communicated to enrolled individuals, and marked with the effective date of the change. The most recent version of this Notice will always be available at trovehealth.io/privacy-policy.

In the event of a TEFCA Security Incident or breach involving your information, Trove Health will notify you within the time frames required by applicable law. Notifications will include the nature of the incident, the type of information involved, steps you should take to protect yourself, and the actions we are taking to prevent future occurrences.

We retain personal information for as long as necessary to provide services, comply with legal obligations, resolve disputes, and enforce agreements. Trove Health’s obligations under this Privacy and Security Notice continue for as long as we maintain any Individually Identifiable Information, even after an individual’s account or participation ends.

In addition to our TEFCA Privacy and Security Notice, this section describes how Trove Health collects and uses information through its website and applications for service improvement, security, and communication purposes.

Cookies and Website Tracking
We may use cookies and similar technologies to enhance user experience, analyze traffic, and improve services. You can control cookies through your browser settings.
‍
‍Log Data and Analytics
We may collect technical information such as IP address, browser type, device identifiers, and usage patterns. This information helps us monitor performance and secure our services.
‍
‍Third-party Service Providers
We may use trusted third-party providers for hosting, communications, or identity verification. These providers are contractually obligated to protect your information.
‍
‍International Data Transfers
If data is transferred outside the United States, we ensure appropriate safeguards are in place in accordance with applicable law.
‍
‍Marketing Communications
We do not currently sell or share personal information for marketing purposes. If this changes, we will update this policy and obtain your consent where required.
‍
‍Children’s Privacy
There is no age restriction to use our service. However, it is primarily intended for patients and their designated representatives. We comply with applicable laws related to children’s privacy and protect all user data with the same standards.
‍
‍Your Choices and Control
You can manage privacy preferences, including cookies and communication preferences, through your account settings or by contacting admin@trovehealth.io.

Trove Health Inc. is subject to the Health Insurance Portability and Accountability Act (HIPAA) as a Business Associate of Covered Entities when performing Individual Access Services. We adhere to all applicable HIPAA Privacy, Security, and Breach Notification Rules.

If you have any questions about this Privacy Policy, please contact us at:
Trove Health Inc.
A Delaware Corporation
Phone: +1 415-800-4442
Email: privacy@trovehealth.io

If English is not your primary language, this Notice is available in other languages upon request. Please contact admin@trovehealth.io for translated versions or accessible formats.

HIPAA (Health Insurance Portability and Accountability Act)
TEFCA (Trusted Exchange Framework and Common Agreement)
IAS Provider Requirements SOP v2.0 (July 1, 2024)
Federal Plain Language Guidelines