Skip to content
Parker
APEX Login
Patient Rights & PolicyV2.0

The laws are on your side.

Over the last decade, the U.S. and EU passed a sequence of rules that put you in charge of your health data — Cures Act, ONC (g)(10), HIPAA Right of Access, CMS Interoperability, TEFCA, GDPR. Most people don't know they exist. This page is the field guide, plus where Parker stands on each.

See the rules Read the Founder's Letter
Our positionV2.0

Compliance is the floor. Ownership is the ceiling.

We build APEX so that even if every favorable rule were repealed tomorrow, the patient would still own and control their record. Standards-based interoperability isn't a compliance checkbox here — it's the architecture.

FEDERAL ALIGNMENT
CMS Pledge · HHS EHR Workgroup Chair

Founder Vincent J. Lopez chairs the HHS EHR Workgroup; Parker is in the CMS Health Tech Ecosystem cohort.

SECURITY POSTURE
SOC 2 Type II · HITRUST · HIPAA · GDPR

Annually audited. Beacon witnesses every PHI access in production — visible to the patient in real time.

GLOBAL READINESS
EMEA deployment · TEFCA-native architecture

London HQ for EU residents; preparing for QHIN participation to bridge networks under TEFCA.

The field guideV2.0

Nine rules. One owner.

The plain-English version of every U.S. and EU rule that shapes the patient-data landscape Parker operates in — and what we do about each.

21st Century Cures Act

21st Century Cures Act — Title IV (Information Blocking)

2016 · enforced 2020Congress · ONC · HHS-OIG
Patient right

Your records, electronic, on demand — no blocking.

Made it illegal for providers, EHRs, and HIEs to block the flow of electronic health information. Patients have the right to receive their records in a usable electronic format without delay or special fees.

PARKER IMPLEMENTS

APEX Nexus is built on the same Cures-mandated FHIR APIs that providers are now required to expose. Pulse is the patient-facing implementation of the rights this law created.

ONC Final Rule

ONC Cures Act Final Rule — (g)(10) certification

2020ONC
Patient right

Any app you choose can pull your records — standards-based, no special deals.

Required certified EHRs to expose standardized FHIR APIs (USCDI v1+, single-patient and bulk) so that patient apps can connect without bespoke integrations.

PARKER IMPLEMENTS

Every APEX surface conforms to (g)(10) — single-patient and bulk FHIR, USCDI v4, SMART on FHIR authorization. We refuse to build proprietary connectors that would re-create the lock-in the rule outlawed.

HIPAA Right of Access

HIPAA Privacy Rule — Right of Access (45 CFR §164.524)

1996 · 2020 OCR guidanceHHS-OCR
Patient right

Your record, your format, your timing — at cost.

Patients can request copies of their designated record set in the form and format they choose, within 30 days, for no more than the cost of labor and supplies.

PARKER IMPLEMENTS

Pulse exercises this right automatically and continuously. No 30-day waits. No per-page fees. No surprise PDFs when you asked for FHIR.

CMS Interoperability & Patient Access

CMS Interoperability and Patient Access Rule

2020 · 2024 updateCMS
Patient right

Your claims data is yours — and it follows you when you switch plans.

Required Medicare Advantage, Medicaid, CHIP, and ACA plans to expose Patient Access, Provider Directory, and Payer-to-Payer FHIR APIs so claims and clinical data follow the patient.

PARKER IMPLEMENTS

Pulse ingests payer-side claims via the same APIs and reconciles them against clinical events in the Data Lake. Payer + provider truth in one record.

TEFCA

Trusted Exchange Framework and Common Agreement

2022 · live 2023ONC · The Sequoia Project (RCE)
Patient right

Records flow between networks without you re-explaining who you are.

A nationwide governance framework for health information exchange via QHINs (Qualified Health Information Networks). Establishes a single on-ramp for cross-network data sharing.

PARKER SUPPORTS

Parker is preparing for QHIN participation. The architecture is TEFCA-native — every exchange will be a Beacon-witnessed event resolved against a GPID.

USCDI v4

United States Core Data for Interoperability — v4

2023ONC
Patient right

Apps see the same data classes everywhere — no scavenger hunts.

The mandated minimum data classes and elements that certified health IT must exchange. Includes demographics, problems, labs, imaging, encounters, social determinants, and more.

PARKER IMPLEMENTS

APEX speaks USCDI v4 across every surface — exceeding the floor with provider attribution, dual-verification status, and consent provenance.

HHS AI Strategic Plan

HHS AI Strategic Plan (Use, Oversight & Patient Rights)

2025HHS · ONC · ASTP
Patient right

AI in your care must be transparent, accountable, and consensual.

Federal framework for safe, equitable AI in health and human services. Emphasizes transparency, accountability, patient consent, and oversight of clinical AI.

PARKER ADVOCATES

Codified in our Health AI Rights — every Pulse AI output is attributed, explainable, never used to deny care, and never trained on patient data without explicit consent.

State Privacy Laws

Comprehensive State Privacy Laws (CCPA/CPRA, VCDPA, CPA, +20 more)

2020–2026State AGs
Patient right

Strongest state law in the room — without you having to ask.

State-level rights to access, delete, correct, and portability — many with explicit protections for sensitive health and biometric data beyond HIPAA's scope.

PARKER IMPLEMENTS

Parker honors the strictest applicable state right by default. One privacy floor, regardless of where the user lives.

GDPR

EU General Data Protection Regulation

2018EDPB · national DPAs
Patient right

EU-grade rights for EU residents — by design, not as an afterthought.

Strict consent, data-minimization, portability, and erasure rights for EU residents, with health data classified as a special category requiring explicit consent.

PARKER IMPLEMENTS

Parker EMEA operates a GDPR-compliant deployment from London. Same Pulse and Prime experience, same patient-owner principle, EU-resident data residency.

Parker's commitmentV2.0

A patient bill of rights.

Whatever the regulatory weather, these are the commitments Parker makes to every user of every APEX surface.

  1. 1
    Your record is yours

    Exportable in open standards (FHIR, CSV, PDF), at any time, at no cost. If you cancel, it leaves with you.

  2. 2
    Every access is witnessed

    APEX Beacon logs every read and write to your record. You can see the log in real time.

  3. 3
    Every share is revocable

    Time-boxed handoffs. One tap to cut access. No silent retention.

  4. 4
    No data sale, ever

    Contractually binding. No payer, no employer, no advertiser. Read it in our Health AI Rights.

  5. 5
    AI is transparent and consensual

    Every AI output is attributed, explainable, and never trained on your data without explicit opt-in.

  6. 6
    One identity across every surface

    GPID resolves you across Pulse, Prime, and any provider on the APEX network — without re-enrollment friction.

Health AI Rights HIPAA Notice Privacy Compliance Hub
Learn moreV2.0

Go deeper.

APEX Compass

A 16-chapter educational series on U.S. healthcare policy, insurance, and interoperability.

Open the Compass
Research & whitepapers

Technical foundations of the dual-verified Data Lake, GPID, and Beacon oversight.

See research
Founder's Letter

The 'why' behind the APEX Ecosystem and the patient-owner principle.

Read