HIPAA Notice

The CLIA-accredited laboratories that process your samples (currently Quest Diagnostics) are HIPAA-covered entities. EllaDx is a Business Associate of those laboratories with respect to the lab-result data and supporting intake information we process on their behalf. We are not, ourselves, a covered entity — we do not diagnose, prescribe, treat, bill insurance, or render clinical care.

This means:

• EllaDx does not issue a HIPAA Notice of Privacy Practices in the form a covered healthcare provider would. Your rights with respect to PHI held by Quest Diagnostics or any other covered entity are described in those entities' own notices.
• Where EllaDx itself receives, stores, transmits, or uses PHI on behalf of a covered entity, we do so under a Business Associate Agreement (BAA) and apply the safeguards and restrictions HIPAA requires of business associates.

For our purposes, the following are treated as PHI when tied to identifiable information about you:

• Lab-test results and any clinical-grade biomarker readings returned by a CLIA-accredited laboratory partner.
• The intake information that supports a lab order — date of birth, sex assigned at birth, current medications, relevant medical history, and pregnancy / lactation status where you choose to share it.
• Symptom-quiz responses where they describe a current or past health condition, when they sit on a record keyed by your email address inside Supabase.

Generic marketing identifiers — your name, your email address, and the fact that you completed our onboarding quiz — are personally identifiable information but are not, by themselves, PHI. They are governed by our Privacy Policy.

PHI is stored only in HIPAA-covered infrastructure. Specifically:

• Database and file storage: Supabase, under a signed Business Associate Agreement.
• Laboratory processing and transport: Quest Diagnostics (the covered entity performing the testing) and Junction (the lab-orchestration provider that routes orders and returns results, under a downstream BAA).

PHI is not sent to our marketing email provider (Klaviyo), our transactional email provider (SendGrid), our payment processor (Stripe), our analytics tools, our CDN provider (Cloudflare), or any other system that is not under a BAA. Our marketing tools see only your name, email address, and a generic flag indicating whether you completed the onboarding quiz.

We use PHI only to provide the Service to you and to fulfill our obligations under the BAAs we have signed with covered entities. Specifically, we use PHI to:

• Generate the laboratory requisition that is sent to the CLIA-accredited lab.
• Receive your results back from the lab and post them to your private portal.
• Generate your plain-language educational report from the results.
• Provide longitudinal charts and trend comparisons across re-tests you have ordered.
• Comply with our legal obligations, respond to subpoenas or other lawful process, and cooperate with authorized HIPAA audits.

We do not sell PHI. We do not use PHI for advertising or marketing. We do not share PHI with any third party except as required to provide the Service or as required by law.

We use administrative, technical, and physical safeguards appropriate for a HIPAA business associate. These include:

• Encryption in transit (TLS 1.2+) for all communication between client devices, our infrastructure, and our lab and payment partners.
• Encryption at rest for the database tables that store PHI.
• Role-based access controls on production systems, with access limited to personnel whose job functions require it.
• Audit logging of access to systems that store or transmit PHI, retained for the period required by HIPAA.
• Periodic security reviews of our subprocessors that handle PHI.

No system is perfectly secure. We cannot guarantee absolute security and we recommend you review the safeguards posted by our laboratory partners and by other covered entities you interact with through the Service.

Because EllaDx is a Business Associate rather than a covered entity, requests to exercise HIPAA rights — to access, amend, obtain an accounting of disclosures, or restrict use — are generally directed to the covered entity that ordered or performed your test (most often, Quest Diagnostics). We will assist by passing requests to the appropriate covered entity and by complying with any lawful request that covered entity makes of us as its business associate.

You may also request a copy of the data EllaDx holds about you, request that we correct inaccurate information, or request that we delete account data, by contacting us using the information below. Some categories of information — for example, records we are legally required to retain — may be retained after a deletion request.

If we discover a breach of unsecured PHI, we will notify the covered entity for which we hold that PHI without unreasonable delay and in any case within sixty (60) days of discovery, as required by 45 CFR 164.410. The covered entity is responsible for notifying affected individuals; we will assist as required by our BAA.

Questions about this notice or about PHI we hold:

EllaDx, Inc.
Attn: Privacy
1630 W Prosper Trail, #620
Prosper, Texas 75078
[email protected]

To exercise rights under HIPAA, contact the covered entity that ordered or performed your test (typically Quest Diagnostics). We will assist by routing your request to the appropriate party.