Privacy Policy

Tabula Medica - Your Unified Health Record

Effective Date: February 3, 2026

Privacy Summary (Plain Language)

Your data is yours. We never sell your health information to advertisers or data brokers.
We protect it seriously. Military-grade encryption (AES-256) protects your records at rest and in transit.
You control access. You decide who sees your health information and can revoke access anytime.
We merge carefully. When combining records from different sources, you review and approve matches.
You can take it with you. Export your complete health record in standard FHIR format anytime.

1. Information We Collect

Tabula Medica collects and processes the following types of information to provide your unified health record:

Protected Health Information (PHI)

Medical records from connected healthcare providers (via FHIR)
Lab results, diagnoses, medications, and immunization records
Clinical notes and encounter summaries
Vital signs and health measurements

Demographic Information

Name, date of birth, and contact information
Emergency contacts and family health history
Insurance and coverage details

Device and Usage Data

Data from connected wearables (Apple Watch, Fitbit, etc.)
Photos of documents you upload via camera
App usage patterns for improving your experience

Minimum Necessary Standard: We only access the minimum amount of data required to provide your longitudinal health journey. We do not collect data beyond what is needed for treatment, payment, or healthcare operations.

2. How We Use Your Data

Creating Your Longitudinal Health Journey

We aggregate your health data from multiple sources to create a unified, chronological view of your complete medical history. This helps you and your healthcare providers see the full picture of your health.

Identity Resolution and Deduplication

Our system uses algorithms to match records that belong to you from different healthcare sources. Here's how it works:

Automatic Matching (95%+ confidence): Records with very high similarity are merged automatically.
Manual Review (80-95% confidence): You will be prompted to verify matches that require human judgment.
Original Data Preservation: We always keep the original source data intact, even after merging, to maintain a complete audit trail.

Your Review Required: If our system identifies a potential match that isn't certain, you will see a Patient Match Review screen where you can approve, reject, or defer the decision.

Permitted Uses Under HIPAA

Purpose	Description
Treatment	Sharing your records with healthcare providers involved in your care
Payment	Processing insurance claims and verifying coverage
Healthcare Operations	Quality improvement and care coordination

3. AI-Powered Health Insights

Tabula Medica uses artificial intelligence to provide personalized health summaries, educational insights, and clinical decision support. Here is how we protect your privacy when using these features:

Data Collection for AI Features

We collect health data, including medical records, lab results, medications, and conditions, solely for the purpose of providing AI-powered health insights and tracking within the app. This data is used exclusively for app functionality and is never used for advertising, marketing, or cross-app tracking.

PII Sanitization Before AI Processing

Before any health data is sent to our AI processing partner, it passes through a local sanitization layer that removes all Personally Identifiable Information (PII), including:

Names, email addresses, and phone numbers
Dates of birth and Social Security Numbers
Medical Record Numbers (MRNs) and patient identifiers
Physical addresses, ZIP codes, and insurance IDs

Anonymized Data Only: The AI service receives only de-identified clinical data (conditions, medications, lab values, vital signs). No information that could identify you as an individual is ever transmitted to our AI partner.

Third-Party AI Partner: OpenAI

We use OpenAI's API exclusively for generating natural-language health summaries and educational insights. Our agreement with OpenAI includes:

Zero Data Retention: OpenAI does not retain any data sent through our API requests. Your data is processed and immediately discarded.
No Model Training: Your health data is never used to train, improve, or fine-tune AI models.
Business Associate Agreement (BAA): Our arrangement with OpenAI complies with HIPAA requirements for handling health-related data.

User Consent and Opt-Out

AI features require your explicit consent before any data is processed. You are presented with a clear consent dialog explaining how your data will be used before you can access AI-powered features.

Opt-out anytime: You can revoke your AI consent at any time via Settings > Privacy & Consent > AI Record Summaries.
No impact on core features: Declining AI consent does not affect your ability to view, store, or share your health records. Only AI-generated summaries and insights are disabled.
Consent is recorded: We record the date and time of your consent for compliance purposes.

Not Medical Advice: AI-generated health summaries and insights are for informational and educational purposes only. They do not constitute medical advice, diagnosis, or treatment. Always consult your healthcare provider for medical decisions.

4. How We Share Your Data

We share your health information only in the following circumstances:

With Your Explicit Consent: When you choose to share records with a provider using Smart Health Links
For Treatment: With healthcare providers directly involved in your care
Emergency Access: Through our Break-Glass Protocol when there is a genuine medical emergency (you will be immediately notified)
Legal Requirements: When required by law or court order

Business Associate Agreements (BAAs): All third-party services that handle your PHI have signed HIPAA-compliant BAAs with us. This includes our cloud infrastructure, database providers, and AI services used for health summaries.

We Never:

Sell your health data to advertisers or data brokers
Use your data for marketing purposes without consent
Share identifiable health information with employers or insurers for underwriting
Provide access to HealthKit data for advertising (per Apple's requirements)

5. Your Rights Under HIPAA (Notice of Privacy Practices)

As a patient, you have specific rights regarding your health information:

Right to Access

You may inspect and receive a copy of your complete health record at any time. Use the "Export" feature to download your data in FHIR R4 format.

Right to Amendment

If you believe information in your record is incorrect, you may request an amendment. This is especially important if you notice a deduplication error where records were incorrectly merged.

Right to an Accounting of Disclosures

You may request a list of everyone who has accessed your health information. Our comprehensive audit logging tracks every access for your protection.

Right to Restrict Disclosures

You may request restrictions on how your information is used or shared. While we cannot guarantee all restrictions, we will honor reasonable requests.

Right to Confidential Communications

You may request that we communicate with you through specific channels or at specific locations.

Right to Revoke Authorization

You may revoke any authorization you've given at any time. Smart Health Links can be manually revoked, and shared access can be terminated immediately.

Right to Data Portability

Export your complete health record in FHIR R4 format, compatible with any healthcare system that supports the US Core Implementation Guide.

6. Security Safeguards

We implement comprehensive technical safeguards to protect your health information:

Safeguard	Implementation
Encryption at Rest	AES-256-GCM encryption for all stored health data
Encryption in Transit	TLS 1.3 for all data transmission
Authentication	Apple Sign-In with Face ID/Touch ID support
Multi-Factor Authentication	TOTP-based MFA for sensitive operations
Audit Logging	Immutable logs of all data access and modifications
Automatic Session Timeout	Sessions expire after periods of inactivity
Device Fingerprinting	Recognition of trusted devices for enhanced security

No Middle Name (NMN) Standard

We use industry-standard demographic formatting to prevent matching errors. When importing records, we validate middle name fields to distinguish between "no middle name" and "unknown middle name" scenarios, reducing duplicate record creation.

7. Data Retention

We retain your health information according to the following schedule:

Active Accounts: Data is retained for the life of your account
After Account Deletion: Medical records are retained for 7 years per federal and state medical record retention laws
Audit Logs: Retained for 10 years for HIPAA compliance
Break-Glass Access Records: Retained permanently and cannot be deleted

Deletion Requests: You may request deletion of your account. We will delete all data except what is legally required to be retained. A confirmation will be sent when deletion is complete.

8. Device Permissions

Tabula Medica requests the following device permissions:

Permission	Purpose
Camera	Scan and upload health documents, prescriptions, and medical records for your longitudinal journey
Photo Library	Select photos of medical documents to upload to your records
Face ID / Touch ID	Securely access your health records with biometric authentication
HealthKit	Import health data from Apple Health for a complete picture
Location	Find nearby healthcare providers and pharmacies
Contacts	Add emergency contacts and share health information with family

9. TEFCA Health Information Exchange

When you use TEFCA (Trusted Exchange Framework and Common Agreement) to query health records:

Queries are sent to Qualified Health Information Networks (QHINs)
Your identity is verified to retrieve your records
Retrieved records are stored securely in your account
Exchange purposes are limited to Individual Access Services (T-IAS)

10. Children's Privacy

Tabula Medica is not intended for use by children under 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately.

For patients between 13-18, parental consent may be required depending on your state's laws regarding minor healthcare privacy.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes:

We will notify you via email and/or in-app notification
The "Effective Date" at the top will be updated
Significant changes will require your acknowledgment before continuing to use the app

12. Contact Us

If you have questions about this Privacy Policy, your health information, or wish to exercise your HIPAA rights, please contact us:

Privacy Officer

Email: [email protected]

Mail: Tabula Medica Privacy Office
[Your Business Address]

Response Time: We respond to all privacy inquiries within 30 days as required by HIPAA.

File a Complaint

If you believe your privacy rights have been violated, you may file a complaint with:

Our Privacy Officer (contact above)
The U.S. Department of Health and Human Services Office for Civil Rights

You will not be retaliated against for filing a complaint.