IAS Privacy & Security Notice (TEFCA)
Calcium Health Privacy & Security Notice (TEFCA-Aligned)
Effective Date: March 23, 2026
Calcium LLC (“Calcium,” “we,” “our,” or “us”) is committed to protecting your health information and personal data. This Privacy & Security Notice explains how we collect, use, disclose, and protect your information, including how we participate in nationwide health information exchange under the Trusted Exchange Framework and Common Agreement (TEFCA) and applicable U.S. Department of Health and Human Services (HHS) guidance.
1. Scope of This Notice
This Notice applies to:
- The Calcium Super App (https://app.calciumhealth.com/register)
- Calcium Core (provider platform)
- Calcium AI Studio
- All related services, websites, and integrations
This Notice applies to personal data and electronic health information (EHI), including Individually Identifiable Information (“III”).
2. Our Role in TEFCA (REQUIRED DISCLOSURE)
Calcium participates in nationwide health information exchange under TEFCA as an Individual Access Services (IAS) Provider and/or Subparticipant.
REQUEST-ONLY IAS PROVIDER: CALCIUM LLC DOES NOT PROVIDE BIDIRECTIONAL SERVICES. YOU WILL HAVE THE ABILITY TO REQUEST ACCESS TO YOUR HEALTH INFORMATION VIA TEFCA EXCHANGE. YOU WILL NOT BE ABLE TO USE CALCIUM LLC TO SHARE YOUR HEALTH INFORMATION WITH OTHER PARTICIPANTS IN TEFCA.
Because Calcium is a Request-Only IAS Provider, Calcium does not disclose your health information via TEFCA Exchange and therefore does not require a pre-use opt-in/opt-out choice for TEFCA disclosure.
3. Fees for IAS Services (REQUIRED DISCLOSURE)
Access to TEFCA-enabled Individual Access Services (IAS) is included as part of Calcium’s paid subscription.
- Subscription Fee: $12.99 per month
- What the fee includes: Access to the Calcium Super App, including IAS (retrieval of EHR via TEFCA), health data tools, pathways, and integrations
- Billing: Monthly subscription billed in advance
- Additional Fees: No per-request TEFCA fees at this time
- Payment Requirement: Continued payment is required to maintain IAS access
- Grace Periods: None
4. Information We Collect
4.1 Health Information (EHI / III)
- Medical records (diagnoses, medications, procedures, lab results)
- Vital signs and device-generated data
- Care plans and pathway data
- Health journal entries and user-reported data
4.2 Data Sources
- EHR systems and healthcare providers
- Health systems and hospitals
- Medical devices and wearables
- Health and wellness applications
- TEFCA-enabled networks
4.3 Personal Information
- Name, email, phone number
- Date of birth, gender
- Account credentials
5. How We Use Your Information
We use your information to:
- Provide access to your health records via TEFCA
- Aggregate and organize your health data
- Deliver app functionality and pathways
- Enable user-directed sharing outside TEFCA
- Improve services
6. TEFCA Permitted Uses and Restrictions
All uses and disclosures of information obtained through TEFCA are performed in accordance with the TEFCA Common Agreement and applicable HHS guidance.
Calcium uses TEFCA data only for permitted purposes, including providing individuals access to their own health information.
Restriction on Claims:
Calcium will not access, exchange, use, or disclose Individually Identifiable Information to assert any claim against you, except for the collection of fees.
7. Individual Rights
You have the right to:
- Access your Individually Identifiable Information (III) and Electronic Health Information (EHI)
- Request and retrieve your health records via TEFCA
- Receive your data in electronic format
- Request deletion of your data (see Section 17)
- Revoke consent for sharing outside TEFCA
8. Consent Requirement
Calcium obtains express, documented consent to this Privacy & Security Notice prior to accessing, exchanging, using, or disclosing your Individually Identifiable Information, except where disclosure is required by Applicable Law.
9. How to Revoke Consent (REQUIRED STEP-BY-STEP)
You may revoke your consent at any time.
In-App Instructions:
- Log into your Calcium account
- Go to Settings
- Select Privacy & Data Sharing
- Select an authorized entity
- Click Revoke Consent
- Confirm
Website Instructions:
- Log into your account
- Navigate to Account Settings
- Select Data Sharing Permissions
- Select entity
- Click Revoke Consent and confirm
Revocation applies to future disclosures only.
10. Legal Demands & Law Enforcement
If Calcium receives a subpoena, court order, warrant, or other legal demand for your Individually Identifiable Information:
- Calcium will provide written or electronic notice to affected Individuals within three (3) business days, unless prohibited by law
- Individuals may seek to object or pursue legal remedies
If Calcium makes Individually Identifiable Information available to law enforcement:
- Calcium will provide written or electronic notice within three (3) business days, unless prohibited by law
11. Identity Verification
We use identity proofing and authentication (including multi-factor authentication) through third-party vendor ID.me.
12. Data Sharing & Third Parties
We may share III with:
- Providers and care teams
- QHINs and TEFCA participants
- Technology vendors (hosting, infrastructure, analytics)
- Device/app integrations
- Authorized individuals
Third-Party Requirements:
Third parties performing services on behalf of Calcium are required by contract to:
- Implement appropriate privacy and security safeguards
- Use information only for permitted purposes
- Comply with applicable laws (including TEFCA and HIPAA where applicable)
Important Distinction:
When you independently direct sharing to external third parties, those parties may operate under their own privacy policies and uses may be outside Calcium’s control.
13. De-Identification
Calcium may de-identify III in accordance with applicable law.
De-identified data may be used for analytics, product improvement, and research.
14. Security Safeguards
Calcium:
- Uses commercially reasonable efforts to protect III from unauthorized or illegal access, modification, use, or destruction
- Encrypts all III in transit and at rest
- Implements access controls and monitoring
15. Breach Notification
Calcium will notify Individuals if their Individually Identifiable Information is, or is reasonably believed to be, affected by an IAS Incident, in accordance with applicable law.
16. Ongoing Obligations
Calcium’s obligations under this Privacy & Security Notice continue for as long as Calcium maintains your Individually Identifiable Information.
17. Data Retention & Deletion
You may request deletion of your Individually Identifiable Information.
Calcium will delete your information, to the extent technically feasible, for future uses and disclosures, unless:
- Retention is required by Applicable Law
- Data is contained in audit logs (which are not subject to deletion)
18. HIPAA Applicability
Calcium is not a Covered Entity under HIPAA but may act as a Business Associate and complies with applicable HIPAA requirements in that role.
19. Contact Information
For questions or complaints:
- Email: support@calciumhealth.com
- Phone: 312-342-1574
20. Changes to This Notice
We may update this Notice. Changes will include an updated effective date.