This is an addendum to Guava's Privacy Policy and only applies to users of the
TEFCA Nationwide Sync feature for US-based health records. Guava's Privacy Policy
and Terms of Service are part of this Notice.
In this addendum, "TEFCA Data" means Individually Identifiable Information maintained by Guava
in connection with the Individual Access Services it provides to you.
Consent
Before receiving or sending your records through TEFCA, we will ask if you agree to it, and if you agree
to this Notice. If you agree, we will store this consent record in a secure audit log. To remove
your consent later, simply delete the TEFCA/Nationwide Sync source from your Guava
Sources tab. Step-by-step instructions are available on our
TEFCA consent revocation page.
TEFCA-Specific Data Statements
Guava's data disclosure through TEFCA follows the rules in the Common Agreement and applicable guidance from
the U.S. Department of Health and Human Services.
Guava uses commercially reasonable efforts to protect your data from unauthorized or illegal access, modification,
use, or destruction.
Guava encrypts all Individually Identifiable Information it holds, both in transit and at rest,
regardless of whether the data was obtained through TEFCA.
Guava is required to act in conformance with this Notice and must protect the security of your TEFCA Data
in accordance with the applicable Framework Agreement.
Guava's privacy and security duty to you under this Notice lasts for as long as Guava maintains your TEFCA Data.
Guava does not sell your TEFCA Data and does not plan to. If this ever changes, you will be given a choice
before your data is affected.
Guava will not use your TEFCA Data to assert any claim against you, except to collect any required fees,
if applicable.
Guava does not de-identify your data for any purpose beyond what is listed in our Privacy Policy.
Guava retains your TEFCA Data for as long as you keep your TEFCA/Nationwide Sync data source in your Guava account.
You can delete a data source from your Guava app at any time.
For Individual Access in TEFCA using the Guava consumer app, Guava is not subject to HIPAA.
However, Guava provides services to clinics that are HIPAA Covered Entities, and in these cases Guava is
a Business Associate and subject to HIPAA. In all cases, Guava uses HIPAA-compliant privacy and security
practices.
When Guava uses a third party to process data, Guava requires a HIPAA Business Associate Agreement
where applicable and requires their practices to be at least as protective as what Guava promises you.
Guava uses a very small number of third party data processors,
and each one is vetted personally by Guava's CEO and head of engineering.
Legal Demands
If Guava receives a subpoena, court order, search warrant, or other legal demand for your TEFCA Data,
we will notify you in writing or electronically within 3 business days unless prohibited by law.
You may object to this or seek a protective order. If we do make your TEFCA Data available to law enforcement,
we will also notify you within 3 business days, unless prohibited by law.
Your TEFCA Rights
In addition to the rights in our Privacy Policy, you have the right to:
Opt out of sharing your TEFCA Data
Access your TEFCA Data
Export your TEFCA Data in a machine-readable format with means to interpret it
Be notified if your TEFCA Data was or is reasonably believed to have been affected by an IAS security incident
Delete all your TEFCA Data except audit logs, unless prohibited by law
You can exercise your rights of viewing, editing, deleting, and opting-out of sharing of your TEFCA Data
at any time from the Guava app (e.g. Records tab and Data Sources tab). Exports are available in many formats
and locations in the Guava app, such as the download button in data charts (CSV, PDF) and on individual items
on the Records tab. Each record is generally available in the form it came in and includes a large variety
like PNG, JPG, PDF, HTML, CCDA, JSON, and more. If these user-friendly exports do not meet your needs, you
can always use the slower method of requesting a full data dump (use Contact section below).
Bi-directional Data Sharing
Guava currently only lets you request your data, but in the future you may also have the option to
send data back to providers, although it won't be required. TEFCA requires that we display the following notice:
REQUEST-ONLY IAS PROVIDER: Guava DOES NOT
PROVIDE BIDIRECTIONAL SERVICES. YOU WILL HAVE THE ABILITY TO
REQUEST ACCESS TO YOUR HEALTH INFORMATION VIA TEFCA EXCHANGE.
YOU WILL NOT BE ABLE TO USE Guava TO SHARE YOUR
HEALTH INFORMATION WITH OTHER PARTICIPANTS IN TEFCA.
Fees
Guava may charge a fee or require a paid subscription to use TEFCA features. If so,
it will be clearly stated in the app before you enable the feature. As of February 20th, 2026,
TEFCA features are free for all Guava users.
Contact
You may contact us for any reason regarding TEFCA:
In-app: Tap the "Help & Feedback" button in the menu