Notice of Privacy Practices

1. Our Commitment to Your Privacy

My Birth Codex™ is committed to protecting the privacy of birth identity data. We understand that the information we collect and maintain is deeply personal, and we treat it with the highest standard of care.

This notice applies to all data collected through Codex Core hospital integrations and consumer Provenance intake. Whether your data reaches us through an electronic health record (EHR) integration at a participating hospital or through the voluntary Provenance submission process, we apply the same rigorous privacy protections.

We are required by law to maintain the privacy of your protected health information, to provide you with this notice of our legal duties and privacy practices, and to follow the terms of this notice currently in effect.

2. How We May Use and Disclose Your Information

My Birth Codex™ may use and disclose your birth identity and health information in the following ways:

Record Production

We use your information to produce your Birth Codex archival document. This includes ingesting birth data from hospital EHR systems (under Codex Core) or from voluntary Provenance submissions, verifying the data, and generating the permanent identity record.

Operations

We may use your information for quality assurance, compliance audits, and system integrity purposes. This includes internal review of data handling processes, security assessments, and operational improvements to our record production systems.

Legal Requirements

We may disclose your information when required by law, court order, or regulatory inquiry. When legally permitted, we will notify you of any such disclosure.

Business Associates

We may share your information with entities that help us produce and deliver records, under fully executed Business Associate Agreements (BAAs). These partners are contractually bound to protect your information and may use it only for the services they provide to us.

With Your Authorization

For any purpose you specifically authorize in writing, we may use or disclose your information as described in that authorization. You may revoke any authorization at any time, in writing, except to the extent that we have already taken action in reliance on your authorization.

De-identified Data

We may use aggregate, de-identified data for research or reporting purposes. De-identified data has been stripped of all identifying information such that no individual identification is possible, in accordance with HIPAA de-identification standards.

3. Uses and Disclosures We Will NOT Make Without Your Authorization

My Birth Codex™ will never engage in the following practices:

• We will never sell your data. Your birth identity information is not a commodity. It will never be sold, rented, licensed, or traded to any third party, for any reason, under any circumstances.
• We will never share your data for marketing by third parties. Your information will never be disclosed to external parties for their marketing, advertising, or promotional purposes.
• We will never use your data for automated decision-making that affects your rights. No algorithm, AI system, or automated process will be used to make decisions about your legal rights, eligibility, or access based on your birth identity data.

4. Your Rights Regarding Your Information

You have the following rights with respect to your birth identity and health information held by My Birth Codex™:

Right to Access

You have the right to request a copy of your birth identity data maintained by My Birth Codex™. We will provide the requested information within 30 days of receiving your written request. A reasonable, cost-based fee may apply for copies.

Right to Amend

You have the right to request correction of inaccurate data in your record. If we agree that the information is incorrect, we will amend the record and notify you and any parties to whom we have previously disclosed the information. If we deny the request, we will provide a written explanation and your right to submit a statement of disagreement.

Right to an Accounting of Disclosures

You have the right to request a list of disclosures we have made of your information. This accounting will include the date of each disclosure, the name of the entity or person who received the information, a description of the information disclosed, and the purpose of the disclosure. The first accounting in any 12-month period is provided at no cost.

Right to Request Restrictions

You have the right to ask us to limit how we use or disclose your data. While we are not required to agree to all restriction requests, we will carefully consider each request and honor it when feasible and consistent with our legal obligations.

Right to Confidential Communications

You have the right to request that we communicate with you about your birth identity data via specific methods or at specific locations. For example, you may request that we contact you only by mail or only at a particular address. We will accommodate reasonable requests.

Right to a Paper Copy

You have the right to obtain a paper copy of this Notice of Privacy Practices at any time, even if you have previously received a copy. To request a paper copy, contact us using the information provided in the Contact section below.

Right to Revoke Authorization

You have the right to withdraw any previously given authorization for the use or disclosure of your information. Your revocation must be submitted in writing. Revocation will not affect any use or disclosure that occurred before we received your revocation.

5. Our Responsibilities

My Birth Codex™ has the following responsibilities regarding your information:

• We are required to maintain the privacy of your protected health information and birth identity data.
• We must provide you with this notice of our legal duties and privacy practices with respect to your information.
• We must notify you if a breach of unsecured protected health information or birth identity data occurs.
• We must follow the terms of this notice currently in effect.

We will not use or disclose your information in a manner inconsistent with this notice without your written authorization.

6. Breach Notification

In the event of a breach of unsecured protected health information or birth identity data, My Birth Codex™ will notify affected individuals within 60 days of discovery of the breach.

Breach notification will include:

• A description of the breach, including the date of the breach and the date of discovery
• The types of data involved in the breach
• Steps you can take to protect yourself from potential harm
• A description of our remediation actions and measures taken to prevent future breaches

Breaches affecting 500 or more individuals will be reported to the U.S. Department of Health and Human Services as required under 45 CFR 164.408, and notice will be provided to prominent media outlets serving the affected area.

7. Complaints

If you believe your privacy rights have been violated, you may file a complaint with My Birth Codex™ or with the U.S. Department of Health and Human Services.

File a Complaint With Us

File a Complaint With HHS

You will not be retaliated against for filing a complaint. Filing a complaint will not affect your access to your records or the services provided by My Birth Codex™.

8. Contact Information

For questions about this notice, to exercise any of your rights, or to request a paper copy of this notice, contact:

9. Changes to This Notice

We reserve the right to change this Notice of Privacy Practices at any time. Changes will apply to data we already hold as well as data we collect in the future. When changes are made, the revised notice will be posted on our website and made available upon request.

The current version of this notice is always available at mybirthcodex.com/npp.