Privacy and Security Notice

Consolidate Health, Inc. — also referred to as our Privacy Policy. Last material change: 06/17/2026.

Effective 06/17/2026

What this Notice covers

Consolidate Health helps you access your health records. This Notice explains how we collect, use, share, and protect your information when you use our Individual Access Services, and what choices and rights you have.

This Notice applies to the Consolidate Health application (accessible at app.consolidate.health and rendered through any standard web browser, including when embedded inside applications operated by our customers), to our marketing website at consolidate.health, and to any other place where we offer you the ability to access your own health information.

Consolidate Health works behind the scenes for a range of healthcare apps and services. The platform or service you are using may or may not include features that retrieve records through the Trusted Exchange Framework and Common Agreement (TEFCA). Throughout this Notice, sections that apply only when TEFCA-enabled features are used will say so. The rest of the Notice applies to you regardless of which features are turned on.

Quick summary: We collect your information to help you get your health records. We protect your information using strong security. We do not sell your information. We do not use your health information for advertising. You can revoke your consent, delete your information, and export your information at any time. If something goes wrong, we will tell you.

Key terms used in this Notice

To keep this Notice readable, here are a few terms we use throughout:

Term — What it means

Individual / you / your — The person whose health information is being accessed through our Services. That is usually you.

Individually Identifiable Information (III) — Any information that identifies you or can reasonably be used to identify you. This includes your name, address, date of birth, contact information, identity verification data, and your health records.

Individual Access Services (IAS) — Our services that let you retrieve your own health information from healthcare providers, health plans, and health information networks.

TEFCA — The Trusted Exchange Framework and Common Agreement. A federal framework that lets approved organizations exchange health information across networks. Consolidate Health participates in TEFCA through a designated Qualified Health Information Network (QHIN).

Material Change — A change to this Notice that means we will use or share your III in a way that is different from how we said we would when we collected it. This includes changes that may affect you, new categories of information we collect, or any change you would not reasonably expect.

IAS Incident — A TEFCA Security Incident or a breach of your unencrypted III that we maintain.

1. What information we collect about you

To provide our Services, we collect the following types of information:

Information you give us

  • Your name, date of birth, contact information (email, phone, address), and other details we need to identify you and your records.

  • Information you provide during identity verification, if the platform or service you are using uses our TEFCA-enabled features (see Section 3).

  • Your account credentials and preferences.

Health information we retrieve on your behalf

  • Your health records from healthcare providers, health plans, and health information networks that you authorize us to retrieve.

  • Metadata about those records (source, date, format) so we can present them to you.

Information we collect automatically

  • Technical information about your device and how you use our Services, such as device type, operating system, IP address, and pages or screens you visit.

  • Cookies and similar technologies as described in Section 8.

2. How we use and share your information

We use and share your III only for the following purposes:

To provide our Services to you

  • Retrieving your health records from providers and networks at your request.

  • Delivering those records to you through our Services.

  • Helping you transmit records to third parties you choose to share them with.

  • Operating, securing, and improving our Services.

With service providers acting on our behalf

We work with companies that help us run our Services, such as cloud hosting, security monitoring, identity verification, and customer support. We require these companies to protect your information under written contracts, including HIPAA Business Associate Agreements where applicable, SOC 2 or HITRUST attestations, encryption, access controls, and breach notification commitments.

Through TEFCA (only when TEFCA-enabled features are used)

If the platform or service you are using includes our TEFCA-enabled features, and you ask us to retrieve your records through TEFCA, we work with our QHIN partner to query other TEFCA participants for your records. All disclosures we make through TEFCA follow the permitted and required uses and disclosures in the TEFCA Common Agreement and U.S. Department of Health and Human Services guidance.

If the platform or service you are using does not include our TEFCA-enabled features, this subsection does not apply to you, and we do not exchange your information through TEFCA on your behalf.

When information passes to others

When you direct us to share your III with a third party (such as a healthcare provider, app, or other recipient you choose), or when your III is disclosed to a recipient through TEFCA, that recipient becomes responsible for the information it receives. Once your III is in the hands of a third party, its further use and disclosure are governed by that third party’s own policies and applicable law, and may be outside of Consolidate Health’s control.

To comply with the law

We may use or disclose your III when we are required to do so by law, such as in response to a valid subpoena, court order, or government demand. See Section 6 for details, including the notice we will give you.

What we will never do: We will never use your III to assert a claim against you, except to collect fees that you owe. (We do not currently charge any fees to Individuals for our Services. See Section 9.)

Sale, advertising, and marketing of your III

We do not sell your III. We do not exchange your III for anything of value. We do not use your III for targeted advertising or marketing.

If we ever proposed to do any of these things in the future, we would first ask for your separate, express, documented consent (“Consent to Sale”). The Consent to Sale would be clearly labeled, presented separately from your consent to this Notice, and entirely optional. You would not need to give it to keep using our Services.

Marketing website and analytics

On our public marketing website (the pages that anyone can visit without signing in), we use standard web analytics and may use advertising technologies to understand how visitors find us. These activities are governed by our cookie consent banner and are limited to non-health information that does not identify you. We do not allow these technologies on the parts of our Services where you access your health information.

De-identified data

We may de-identify your III so that it can no longer be used to identify you. We do this using the standard at 45 CFR § 164.514(b). We may use and share de-identified information for analytics, research, improving our Services, and other lawful purposes. We do not attempt to re-identify de-identified information.

How long we keep your information

While your account is active, we retain your III for as long as we need it to provide the Services to you, and for no longer than necessary for the purposes described in this Notice. When you delete your account or ask us to delete your III, we follow the deletion process described in Section 7. We retain a minimal audit log after deletion as described in that section.

3. Identity verification (only when TEFCA-enabled features are used)

When this section applies: This section applies only if the platform or service you are using uses our TEFCA-enabled features. If it does not, you are not required to verify your identity, and the rest of this section does not apply to you.

If the platform or service you are using includes our TEFCA-enabled features, you must verify your identity before you can access your health records through those features. We use a credentialed identity verification provider to perform this verification.

When you complete identity verification, the following applies:

  • The result of your verification (“Verification Response”) is not a consumer report under the Fair Credit Reporting Act (FCRA).

  • We do not use the Verification Response for any decision about your credit, insurance, employment, or licensing eligibility, or for any other purpose governed by FCRA.

  • We do not take any “adverse action” against you under FCRA based on the Verification Response.

  • We do not re-disclose your Verification Response to any third party that is not a party to the verification.

  • We do not use verification data for cross-context behavioral advertising.

  • Identity verification is currently available only to Individuals located in the United States and its territories.

We keep our own record of the fact that you completed identity verification (date, level of assurance, outcome). We do not keep copies of the documents you submit during verification.

4. How HIPAA applies to us

Consolidate Health is not a HIPAA Covered Entity. Whether HIPAA applies to us at all depends on the context described below.

When you use our Services directly under your own authorization

When you use our Services to retrieve your own records, we are acting under your authorization, not on behalf of a healthcare provider or health plan. In that situation, HIPAA may not apply to us as a matter of law. However, we apply protections that are equivalent to or stronger than HIPAA, including all of the commitments in this Notice. If the platform or service you are using includes our TEFCA-enabled features, the additional protections required by TEFCA also apply.

When we provide services to a customer that is a HIPAA-regulated entity

Some of our customers are healthcare providers, health plans, or other entities that are subject to HIPAA as Covered Entities or Business Associates. When we provide services to those customers, we sign a HIPAA Business Associate Agreement and become a Business Associate (or a Subcontractor Business Associate). In those engagements, HIPAA applies to our handling of your III.

Regardless of whether HIPAA applies in your particular situation, this Notice describes how we protect your III, and the commitments in this Notice apply to you.

5. How we protect your information

We act in conformance with this Notice, and we use commercially reasonable efforts to protect your III from unauthorized or illegal access, modification, use, or destruction.

Encryption

We encrypt all of your III, both when it is transmitted and when it is stored, whether or not it is exchanged through TEFCA.

Access controls

Only authorized personnel and service providers can access your III, and only when they need to in order to do their jobs. We use role-based access controls, multi-factor authentication, and audit logging.

Monitoring

We continuously monitor our systems for unauthorized access and security incidents.

Vendors and service providers

We require any third party that handles your III on our behalf to maintain protections that are equivalent to or stronger than ours. We use written contracts, including HIPAA Business Associate Agreements where applicable, to enforce these requirements.

Ongoing obligation

Our obligations to protect your III under this Notice continue for as long as we maintain your III.

6. Disclosures required by law

We may be required to disclose your III in response to a valid legal demand. When that happens, we follow these rules:

Subpoenas, court orders, and other compulsory demands

If we receive a civil or criminal subpoena, court order, search warrant, or other demand for compulsory disclosure of your III, we will give you written or electronic notice within three (3) business days, unless we are prohibited from doing so by Applicable Law (for example, under the Patriot Act or a sealing order).

When we give you notice, you will have the right to object to the disclosure or to seek a protective order or other appropriate remedy consistent with Applicable Law.

Disclosures to law enforcement

If we make your III available to a law enforcement agency, we will give you written or electronic notice within three (3) business days, unless we are prohibited from doing so by Applicable Law.

Reproductive health care and gender-affirming care

The same rules above apply when a legal demand specifically targets information about reproductive health care or gender-affirming care. We comply only with valid legal process, and we will challenge demands we believe are overbroad, unlawful, or inconsistent with applicable state shield laws, to the maximum extent the law allows.

This includes demands that originate in one state and seek information about lawful reproductive health care or gender-affirming care that was provided in another state. Where Applicable Law permits, we will decline to disclose, or will challenge, cross-state-line demands seeking such information.

7. Your rights and choices

You have the following rights with respect to your III:

Access

You can view all III we maintain about you from within our Services. This includes the health records we have retrieved for you, your identity verification status, your consent history, and your account profile.

Export

You can export the III we maintain about you. We will provide the export as a ZIP archive. Wherever we can, we will render your records into a single PDF for ease of reading. For files we cannot render, we will include them in the ZIP in their original source format. We provide your information in common, openly documented formats (such as PDF and standard XML or JSON) that can be opened and interpreted using widely available software, so that the export is usable to you.

Deletion

You can ask us to delete all III we maintain about you by deleting your account. We will delete your III from our active systems within 30 days of your request, unless an Applicable Law prevents us from doing so. We retain a minimal audit log (a record that you had an account, that you consented and revoked consent, and security-related events) for seven (7) years. The audit log does not contain your health records.

If we are reasonably aware of an Applicable Law that prevents us from deleting specific III, we will tell you which information we cannot delete and why.

You can delete your account, which deletes your information, at any time. Step-by-step instructions are available at https://consolidate.health/help/delete and are also linked from within the Consolidate Health application.

What this deletion covers: This deletion applies only to information that Consolidate Health holds about you. If you accessed our Services through a customer (for example, a healthcare provider, health plan, or app that integrates with Consolidate Health), and you authorized us to share your information with that customer, that customer holds its own separate copy of any information you shared. Deletion by Consolidate Health does not delete information held by that customer. To delete information held by the customer, you need to contact that customer directly and follow their deletion process.

How to exercise your rights

You can exercise any of these rights from within the Consolidate Health application, in your account settings, or by contacting our Privacy Department using the information in Section 11. To request access or an export, sign in to the Consolidate Health application and go to your account settings. To delete your account and your information (which is also how you revoke your consent), follow the step-by-step instructions at https://consolidate.health/help/delete, which are also linked from within the application. Exports are provided as a ZIP archive as described above.

Revocation of consent

You can revoke your consent to this Notice at any time. Because you cannot use our Services without consenting to this Notice, revoking your consent and deleting your account are the same action: when you revoke your consent, we delete your account and your information. We provide an electronic means to do this from within the Consolidate Health application, and the process is not burdensome.

Step-by-step instructions for revoking your consent and deleting your account are conspicuously displayed and readily located within the application, and are also published as a stand-alone article in our Help Center at https://consolidate.health/help/delete.

When you revoke your consent:

  • We will stop providing Individual Access Services to you, and you will no longer be able to use the Services going forward.

  • Your revocation is prospective only. It does not affect anything we did with your consent before the revocation, including any information already shared with a customer at your direction.

  • Your revocation triggers the account deletion described above, which applies only to information held by Consolidate Health. Information already shared with a customer remains with that customer.

Notification of an IAS Incident

If your III is reasonably believed to have been affected by an IAS Incident, we will notify you. See Section 10 for what that notice will include.

Honoring your choices

We respect the choices you make about your III and will implement your requests, including access, export, deletion, and revocation, within a reasonable period of time.

Your TEFCA Exchange disclosure choice (only when TEFCA-enabled features are used)

If the platform or service you are using includes our TEFCA-enabled features, the following applies to you. We also conspicuously display this statement on our public-facing website at consolidate.health.

Consolidate Health is a Request-Only IAS Provider. Consolidate Health does not provide bidirectional services. You will have the ability to request access to your health information via TEFCA Exchange. You will not be able to use Consolidate Health to share your health information with other participants in TEFCA.

Because we are a Request-Only IAS Provider, we do not respond to requests from other TEFCA participants for your health information. We only retrieve your information at your direction. As a result, there is no TEFCA Exchange sharing of your information for you to opt into or out of.

How you give and keep track of your consent

Before you begin using our Services, and before any of your III is accessed, used, or disclosed, we ask for your express, documented, and informed consent to this Notice. We present the Notice and require you to take a clear action to consent. We keep a secure log of your consent so you and we both have a record of it.

We collect your consent electronically. If you are unable to provide consent electronically, you may request to provide your consent by paper signature, in accordance with Applicable Law, by contacting our Privacy Department using the information in Section 11.

If we change this Notice in a way that is a Material Change, we will ask for your consent again before we use your III in the new way. We will not assume your consent or apply the new use to your existing III without asking.

8. Cookies and similar technologies

We use cookies and similar technologies to operate our Services and our marketing website. We treat the two surfaces differently.

On our marketing website

We use cookies for essential website functions, analytics, and (where you opt in through our cookie consent banner) advertising. Our cookie consent banner gives you choices about which categories of cookies to allow.

In our authenticated Services

We use only the cookies and similar technologies needed to operate our Services and keep your session secure. We do not load advertising or behavioral tracking technologies on the parts of our Services where you access your health information.

9. Fees

Consolidate Health does not charge Individuals any fees to use our Individual Access Services or to exercise any of the rights described in this Notice. Our Services are funded by the businesses that integrate with us, not by you.

10. What we will tell you if there is an IAS Incident

An IAS Incident is a TEFCA Security Incident or a breach of unencrypted III that we maintain. If we discover an IAS Incident that reasonably appears to have affected your III, we will notify you. To the extent we can provide it, our notice will include the following information:

  • A brief description of what happened, including the date of the incident and the date we discovered it, if known.

  • A description of the types of III involved (for example, name, date of birth, account number, diagnosis, or other categories).

  • Any steps, if applicable, that you can take to protect yourself.

  • A description of what we are doing to investigate the incident, mitigate any harm, and prevent further incidents.

  • How to contact us with questions about the incident, which will include a toll-free telephone number, an email address, and a website or contact form for the incident.

If we are already required by Applicable Law to notify you of an incident that is also an IAS Incident, we will give you a single notice that satisfies both requirements rather than two separate notices.

11. How to contact us

If you have questions about this Notice, want to exercise any of your rights, or want to file a privacy-related complaint, you can reach our Privacy Department. This contact information is also made available within the Consolidate Health application so you can reach us while using our Services:

Email: privacy@consolidate.health

Phone: +1 (469) 599-4709

Mail: Consolidate Health, Inc., Privacy Department, 3300 Dallas Pkwy, Plano, TX 75093

We document all privacy-related complaints we receive, the actions we take in response, and the final outcome. We will respond to your inquiry or complaint within a reasonable period of time.

12. Changes to this Notice

We may update this Notice from time to time. When we do, we will update the Effective Date and the Last Material Change Date at the top of this Notice.

Material Changes

A Material Change is a change that means we will use or share your III in a way that is different from how we said we would when we collected it. This includes changes that may affect you, new categories of III we collect, or any change you would not reasonably expect.

When we make a Material Change, we will:

  • Post the updated Notice through our Services no later than the Effective Date of the change.

  • Make reasonable efforts to deliver the updated Notice to you through your communicated preferences (such as email, in-app notification, or other channels you have chosen).

  • Conspicuously mark the Material Change in the updated Notice so you can readily see what changed.

  • Ask for your consent again before we use your III in the new way.

If there is ever a question about whether a change should have been treated as a Material Change, we accept the burden of proving the change was not material.

13. About the accuracy of your health records

The health records we retrieve come from healthcare providers, health plans, and health information networks. Those sources are responsible for the accuracy of the records. We do not verify, edit, or correct your records. They may contain errors or omissions.

If you believe a record is inaccurate, you should contact the provider or organization that created the record. We can help you identify the source if needed.

Acknowledgment

By signing up for our Services and consenting to this Notice, you confirm that you have read this Notice, understand it, and agree to it. If you have questions before consenting, contact our Privacy Department using the information in Section 11.