Privacy and Security Notice.

Last Updated: February 23, 2026

Overview

This Privacy and Security Notice (the “Privacy Policy”) covers all websites, services, and mobile apps (the “Services”) provided or hosted by MedRecords.me (sometimes referred to as “we”). This Policy applies to the Personal Information we collect from your use of our services, website, or mobile application, and through any other means by which you engage with us.

Personal Information” means:

  • Personally Identifiable Information (PII)- Identifiers like your name, address, date of birth, contact details, Social Security number.

  • Protected Health Information (PHI) - Health-related information like medical records, treatment history, diagnoses, and health plan details.

MedRecords.me is proudly owned and operated by Tekmir Solutions, LLC, a Pennsylvania company.

Where our Privacy Policy or Terms of Service differ from Tekmir’s, our policies control with respect to your use of the Services. If there is any conflict between the MedRecords.me Privacy Policy and Terms of Service, this Privacy Policy governs.

Definition of Services

"Services" refers to all websites, mobile applications, software platforms, and related functionalities offered, operated, or provided by MedRecords.me. These include, but are not limited to:

  • Tools to collect, maintain, and share your health information in accordance with your directions.

  • Secure identity verification.

  • Data analysis and machine learning for health insights.

  • Communication tools (email, SMS) for updates.

  • Customer support, research, educational, and promotional activities.

  • Any future updates or enhancements.

MedRecords.me will attempt to collect your health information for the purpose of sharing that information with you and—only if you clearly and expressly direct us to share your information—sharing that information with third parties you select.

What is TEFCA?

The Trusted Exchange Framework and Common Agreement (TEFCA) is a nationwide network that enables the secure exchange of health information across different healthcare systems and organizations. TEFCA establishes a common set of standards and rules to help healthcare providers, health plans, and other authorized parties share patient health information electronically in a safe and standardized way.

MedRecords.me connects to the TEFCA network through Commonwell Health Alliance, a Qualified Health Information Network (QHIN). This connection allows us to locate and collect your medical records from participating healthcare providers, hospitals, health plans, and other organizations across the country that are part of the TEFCA network. By leveraging this nationwide infrastructure, we can help you access your comprehensive health information from multiple sources in one convenient location.

In addition to these terms, MedRecords.me has agreed to comply with the CommonWell Health Alliance End User License Agreement v11.05.23, available at this link.

Acceptance of This Notice

By using our Services, you say to us that you agree to the terms of this Privacy Policy. If you do not agree to the terms of this Privacy Policy, please do not use the Services. Your continued use of the Services after we make changes to this Privacy Policy will mean that you agree to those changes.

Changes to This Notice

This Notice may be revised from time to time as we add new features and services, as laws change, and as industry privacy and security best practices evolve. We will give you advance notice of any material changes so you can decide if you want to maintain your account with MedRecords.me (except changes that need to be made immediately in order to comply with law or to deal with an urgent situation that threatens the security of information held by us or which severely impacts our functionality).

A "Material Change" means a change to this Privacy and Security Notice that results in us using or disclosing Identifiable Information in a different manner than when the information was collected or otherwise obtained. This includes, for example, changes that may adversely affect you, new categories of Identifiable Information processed by MedRecords.me, or any change to how we process Identifiable Information, which you may not reasonably expect.

If there is a dispute about whether we should have made reasonable efforts to proactively notify you of a change to this Notice, MedRecords.me has the burden to prove the change was not a Material Change.

The updated Notice will be effective as of the time of posting, or such later date as may be specified in the updated Notice. Each Material Change will have its own effective date.

We will:

  1. Post the updated Notice on our website.

  2. Post any changes no later than the effective date of the change.

  3. Notify existing users of Material Changes using your stated communication preferences.

  4. Clearly highlight Material Changes so you can easily identify them.

We maintain records of all changes to this Notice, including documentation sufficient to demonstrate whether each change was material or immaterial. In any dispute regarding whether we should have notified you of a change, we bear the burden to prove the change was immaterial.

Account Creation & Maintenance

When you sign up for and use the Services, we collect personal and business information from you for account creation and maintenance (“Account Information''). Such Account Information includes, as applicable or permitted under law, items such as your name, address, e-mail address, telephone numbers, contact preferences, device identifiers, IP address, and prior names and addresses.

Health Records & Self-Reported Information

We enable you to receive copies of your health information and medical records (“Health Records”) through the “patient access” granted to you under HIPAA, HITECH, and/or the laws applicable where you are located, as well as through online portal accounts that may be made available to you by some health care providers, health plans, or independent app developers.

To collect those Health Records on your behalf, we collect information such as name, birth date, address, gender, medical or health plan record numbers, or information about your doctors, medical providers and health plans. We will let you know when it is optional for you to provide certain information, and when that information is necessary to use certain Services.

Any information we receive from outside sources will be treated in accordance with this Privacy Policy. We are not responsible or liable for the accuracy of the information provided to us by third parties and are not responsible for any third party’s policies or practices.

REQUEST-ONLY IAS PROVIDER: MedRecords.me DOES NOT PROVIDE BIDIRECTIONAL SERVICES. YOU WILL HAVE THE ABILITY TO REQUEST ACCESS TO YOUR HEALTH INFORMATION VIA TEFCA EXCHANGE. YOU WILL NOT BE ABLE TO USE MedRecords.me TO SHARE YOUR HEALTH INFORMATION WITH OTHER PARTICIPANTS IN TEFCA.

HIPAA Applicability

MedRecords.me and Tekmir Solutions are not subject to the Health Insurance Portability and Accountability Act (HIPAA) as a matter of law.

Identity Verification

In order to verify your identity, we use a third-party identity verification provider that collects a copy of your official government photo ID and images of your face, which are analyzed and compared to your official ID. The third-party identity verification provider uses your official ID and images solely for purposes of identity verification for MedRecords.me. For information on this third-party’s privacy practices, please visit ID.me

If you decide you want friends, family members, or others to have access to your MedRecords.me account or to be a personal representative, we will collect personal information about those individuals to fulfill your request. Such information may include name, email, telephone, a health care proxy, a power of attorney, or other information used to confirm their identity and authority to represent you.

How We Use Your Personal Information

MedRecords.me uses your information to deliver, improve, and personalize our Services while ensuring you retain control over your data.

Our use of Identifiable Information must comply with Section 11.1 of the TEFCA Common Agreement (available at https://rce.sequoiaproject.org/tefca-common-agreement/), which limits how health information can be used and disclosed.

We must also comply at all times with this Privacy Policy and must protect your Personal Information in accordance with the applicable Framework Agreement.

Specifically, we use your information to:

1. Request your health records

  • To locate your health records and help providers and health plans accurately match and send the correct information to us.

2. Deliver and personalize our Services

  • To create, manage, and personalize your account.

  • To provide secure access to your health records and allow you to send your records to others as directed by you. To be clear, by default, MedRecords.me will not share your health information with other participants in TEFCA.

  • To deliver tailored content, product recommendations, and service updates based on your preferences and usage.

3. Respond to requests

  • To respond to customer service inquiries and fulfill your requests efficiently.

  • To process transactions and administer promotions, surveys, or other features of the Services.

4. Improve our Services

  • To analyze how users interact with our Services and gather feedback to enhance existing features and develop new ones.

  • To conduct research, including aggregated and anonymized analyses, for improving our offerings and generating insights.

5. Keep your data safe

  • To detect, prevent, and mitigate unauthorized access, fraud, and abuse of the Services.

  • To maintain and improve account and network security.

6. Contact you

We may contact you via the following methods to ensure you are informed about your account and services:

  • Email: To send important updates about your account, changes to terms or policies, and optional newsletters or promotional offers. We will also use email to notify you of any unauthorized access or data breaches impacting your information.

  • Phone: To address urgent matters, such as account security, or to respond to specific customer support requests when necessary.

  • Text Messages: If you opt-in, we may send occasional text messages to provide updates about the Services. Message frequency may vary. Standard message and data rates may apply based on your carrier.

7. Send important communications

  • To send essential notices regarding your account, changes to policies, or updates to the Services. These communications are mandatory and cannot be opted out of.

8. Resolve disputes

We will not access, exchange, use, and/or disclose your Personal Information to assert any type of claim against You except for the collection of fees.

How We Share Your Personal Information

We might share your Personal Information in one or more of the following ways.

1. Service providers

We may share your Personal Information under confidentiality agreements with trusted third-party service providers who assist us in operating, developing, or maintaining the Services. These include:

  • Identity verification services (e.g., ID.me) to ensure secure access to your health records.

  • Cloud hosting providers for data storage.

  • Analytics providers for usage analysis and service improvements.

  • Email and text communication vendors.

  • Marketing service providers for delivering promotional materials.

These companies use your data solely to provide services to MedRecords.me and do not have independent rights to share your information.

2. To comply with legal and safety requirements

We may disclose your personal information:

  • To comply with mandatory legal obligations, such as subpoenas, court orders, or government regulations, including potentially relating to reproductive health or gender affirming care.

  • To establish or defend legal claims.

  • To prevent fraud, unauthorized access, or threats to safety.

  • To comply with obligations under the Trusted Exchange Framework and Common Agreement (TEFCA) for sharing medical information.

Any disclosures made through TEFCA are in accordance with the permitted and required uses and disclosures specified in the TEFCA Common Agreement and applicable U.S. Department of Health and Human Services guidance.

We will notify you within three (3) business days of receiving a civil or criminal subpoena, court order, search warrant, or other demand to disclose your Personal Information, unless that notice is prohibited by law. You will have the chance to object to the disclosure or seek a court order preventing it.

We will also notify you within three (3) business days of disclosing your Personal Information to law enforcement or regulators, unless prohibited by law. You will have the chance to object to the disclosure or seek a court order preventing it.

3. Third parties authorized by you

If you expressly and clearly direct us to send your medical records to an authorized third party—for example a law firm, insurance company, or pharmaceutical company—we will comply with your directive if allowed by federal and state law.

Important: When you make a decision to share your data outside of Tekmir and MedRecords.me—including your Health Records—the data practices under this Notice will no longer apply to the information held by that outside entity. We recommend that you review and determine you are comfortable with that entity's privacy policy prior to sharing your data (including Account Information and Health Records).

4. Business transfers

In the event of a business transaction such as a merger, acquisition, or sale, your personal information may be transferred to the new entity. We will require the new entity to adhere to this Privacy Policy.

How We Protect Your Personal Information

We:

  • Use commercially reasonable efforts to protect your information.

  • Encrypt all data, including your Personal Information, at rest and in transit. This includes all Identifiable Information held by MedRecords.me, regardless of whether such data are TEFCA Information.

  • Require service providers to meet strict privacy/security standards, including commercially reasonable efforts to protect your information.

  • Maintain obligations for as long as we hold your data.

  • Retain your medical information for 6 years unless you direct us to destroy it before then, or unless otherwise required by federal or state law.

These obligations will continue as long as we maintain your Personal Information.

De-Identification of Information

We may de-identify your Personal Information by removing identifiers so that the information can no longer reasonably be used to identify you. If we de-identify your information:

  • How we de-identify: We follow industry-standard methods to remove or obscure personal identifiers.

  • How we use de-identified information: We may use de-identified information for research, analytics, product improvement, and to generate aggregate insights about health trends.

  • How we disclose de-identified information: We may share de-identified, aggregated data with research partners, academic institutions, or other third parties. Because this information cannot identify you, it is no longer subject to this Notice.

Data Breach Notification

If we believe your Personal Information is involved in a data breach or unauthorized access of our systems, we will notify you with:

  • What happened and when, including the specific dates of the incident and its discovery if known.

  • What type of data was involved.

  • Steps you should take to protect yourself from potential harm.

  • Our actions to investigate and prevent recurrence.

  • Contact Information to reach us with questions:

Your Choices and Rights

You control how your Personal Information is used, shared, and retained.

1. Giving Your Consent

  • We obtain your express documented and informed consent before you first use our Services.

  • If we materially change how we use your information, we will ask for your consent again.

  • We capture consent via paper or electronic signature and keep an auditable record.

2. User-Controlled Sharing

  • You have full control over sharing your medical information with others, for instance lawyers, family, and caregivers. Use the account settings to manage these permissions. We will not share your health records without express, written authorization in accordance with all applicable laws and regulations.

  • When you make a decision to share your data outside of Tekmir and MedRecords.me--including your Health Records--the data practices under this Privacy Policy will no longer apply to the information held by that outside entity. We recommend that you review and determine you are comfortable with that entity’s privacy policy prior to sharing your data (including Account Information and Health Records).

3. Revoking Your Consent

You can revoke consent at any time using the following methods:

Step-by-Step Instructions to Revoke Consent:

  1. Log into your MedRecords.me account

  2. Navigate to Settings > Privacy & Consent

  3. Click "Revoke Consent"

  4. Confirm your decision

  5. You will receive a confirmation email

Alternative methods:

  • Email support@MedRecords.me with subject line "Revoke Consent"

  • Call (412) 941-8826 and request consent revocation

Important:

  • Revoking consent stops future use or disclosure but does not undo past actions based on your earlier consent.

  • Once revoked, you will no longer be able to access our Services.

4. Your Rights to Your Data

You may:

  • Request complete deletion of your information (except legally required audit logs).

  • Access and export your information in a machine-readable format with instructions for interpretation. Instructions are available in your portal. Available formats include JSON and CSV with accompanying data dictionaries.

  • Be informed if the law prevents deletion of your information.

We will act on your requests within a reasonable time.

5. Consent to Sale

We do not sell your information without your separate, clearly labeled “Consent to Sale.”
If you ever give such consent, you may revoke it at any time through the same methods listed above.

We will obtain your express and documented consent before we ever: (1) sell your Personal Information, (2) receive remuneration in exchange for Personal Information, or (3) use Personal Information for targeted advertising or other marketing purposes.

6. Changing or Deleting Your Information

  • You can update, correct, or delete your information using in-app tools or by emailing support@MedRecords.me.

  • We delete your data as soon as reasonably possible after a valid request, except for records we must retain by law.

7. Opting Out of Communications

  • Emails: Click “unsubscribe” in the message.

  • Calls: Update your settings or email us.

  • Text messages: Reply STOP; HELP for help.

  • Mandatory account and legal notices cannot be opted out of.

Fees and Costs

We do not charge individuals to access, view, download, export, or delete their records, or to exercise any privacy rights.

If you choose to have MedRecords.me send your records to another organization—such as a law firm or other authorized third party—we may charge that organization a flat fee to cover the administrative and technical work required to retrieve and transmit the records at your direction.

That fee:

  • Is currently $150

  • Is charged only for medical records retrieval and transmission services

  • Is paid by the receiving organization

  • Is assessed at the time the records request is made

  • Does not depend on the contents of your records

  • Does not affect your ability to access or obtain your records through MedRecords.me

  • May be reimbursed to the organization by you only if permitted under your separate agreement with that organization

We accept payment from receiving organizations by credit card, ACH bank transfer, or invoice for approved accounts. Invoiced payments are generally due within 30 days.

We will clearly disclose any applicable fees to the receiving organization before the request is processed.

Contact Us

If you have questions about this Notice, our privacy practices, or wish to submit a complaint, please contact us:

For Privacy Rights Requests: Email support@MedRecords.me with subject line "Privacy Rights Request"

Complaint Process: We maintain a documented process for receiving, investigating, and responding to privacy-related complaints. When you submit a complaint, we will:

  1. Acknowledge receipt within 2 business days

  2. Investigate the issue

  3. Provide a response with our findings

  4. Document the complaint and its resolution

State Privacy Rights and Additional Disclosures

Depending on where you reside, you may have additional rights regarding your personal information under applicable state privacy laws, including the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), and similar laws in other U.S. states such as Virginia, Colorado, and Connecticut (collectively, “State Privacy Laws”).

Your Rights Under State Privacy Laws

Subject to applicable law and certain exceptions, residents of these states may have the right to:

  • Access / Know: Request information about the categories and specific pieces of personal information we have collected about you, the purposes for which we use it, and the categories of third parties with whom we share it.

  • Delete: Request that we delete personal information we have collected from or about you.

  • Correct: Request that we correct inaccurate personal information.

  • Data Portability: Request a copy of your personal information in a portable and, to the extent technically feasible, readily usable format.

  • Opt Out of Certain Processing: Opt out of certain uses of personal information, such as targeted advertising or sharing of personal information for cross-context behavioral advertising, where applicable.

  • Limit Use of Sensitive Personal Information: Where required by law, limit certain uses or disclosures of sensitive personal information.

  • Non-Discrimination: Not be discriminated against for exercising your privacy rights.

Exercising Your Rights

You may submit a request to exercise your privacy rights by contacting us at:

Email: support@MedRecords.me
Subject Line: “Privacy Rights Request”

We may need to verify your identity before fulfilling your request. If you submit a request through an authorized agent, we may require proof of authorization as permitted by law.

California Residents – Additional Information

If you are a California resident, you may have additional rights under California law. To the extent applicable, we do not sell personal information for monetary consideration. We may share personal information with service providers and contractors for business purposes consistent with applicable law.

If required, we will honor requests to opt out of the sale or sharing of personal information and to limit the use of sensitive personal information.

Scope and Limitations

These rights are subject to limitations and exceptions under applicable law. Certain information may be retained as required or permitted by law, including for legal, security, compliance, and operational purposes.

Updates

We may update this section as our services evolve and as state privacy laws change. Any updates will be reflected by the “Last Updated” date at the top of this Privacy Policy.

Children’s Privacy Policy

Our website and Services are not intended for individuals under 18 years of age. If you are under 18 years of age, do not use this website, its features, or our Services in any capacity. Do not provide us with any information about yourself.

We will not knowingly collect data on anyone under the age of 18. If we learn we have collected or received personal information from someone under 18 without valid parental consent, we will delete that information. Please contact us if you believe we might have information from or about a child under 18.

Non-United States Residents

Our website is operated in the United States. If you are located outside of the United States, please be aware that any personal information you provide to us will be transferred to the United States. By using our website and/or providing us with your personal information, you agree to this transfer.