Notice of Privacy Practices for US Patients

Effective Date: May 14, 2026

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law. It requires us to protect the privacy of certain health information that can be used to identify you (“PHI”) and to notify you of any breach of your unsecured PHI. BillionToOne is committed to the protection of your PHI and will make reasonable efforts to maintain the confidentiality of your PHI, as required by statute and regulation. We take this commitment seriously and will work with you to comply with your right to receive certain information under HIPAA. We will not sell your PHI and will not use or share it other than as described in this Notice. If you tell us we can, you may still change your mind at any time. Please let us know, in writing, if you change your mind. For more information see: https://www.hhs.gov/hipaa/for-individuals/notice-privacy-practices/index.html.

This Notice covers the PHI of our U.S. patients. If you are not a U.S. patient of BillionToOne but are using our website and/or other electronic platforms for other purposes, please refer to our online Privacy Policy, which describes how we collect, use and disclose other types of personal information and our Terms of Use which describe certain obligations related to your use of those platforms. 

This Notice applies to the PHI of U.S. patients only. If you are a patient located outside the U.S., there may be other global regulatory protections that apply to your information. Similarly, this Notice only describes our privacy practices under HIPAA, which is a federal law. Many states also have privacy laws.  and, when applicable, we will follow any state law that is more protective of your medical or genetic information or that provides you with greater rights. 

Your personal physician or other health care provider may have different policies or notices regarding their use and disclosure of your medical information. You should consult those notices as well.

What is Protected Health Information

“Protected Health Information” or “PHI” is information about you that may identify you and relates to your past, present, or future physical or mental health or condition, the provision of health care services to you, or the payment for those health care services. Examples of PHI include your name, home address, date of birth, email address, phone number, insurance identification number, and medical history. Some examples of documents that may contain your PHI include laboratory test orders, test results and invoices.

BillionToOne may receive PHI about you from many different sources including, among others, your health care providers and, where applicable, your patient portal and your insurance carriers. We create PHI when we process test orders, perform tests, and provide results to you and your ordering providers. We also create PHI when we bill for our services. We retain your PHI as part of your medical record in order to continue supporting your care and to comply with our legal obligations.

Your Rights

When it comes to your PHI, you have certain rights. The information below explains your rights and some of our responsibilities to help you. You, or an individual with legal authority to act on your behalf, have the following rights with respect to your PHI. To exercise any of these rights, please contact us using the information at the end of this Notice.

To Receive a Copy of This Notice

You may request a paper or electronic copy of this Notice at any time, even if you have previously agreed to receive it electronically.

To Access Your PHI

  • You have the right to request an electronic or paper copy of the information we keep as part of your medical record. If you wish to exercise this right, please complete our Patient Medical Records Release Form and submit it the email address indicated in the Form.
  • We will typically respond to your request within 30 days. 
  • Where technically feasible, we will provide records in the electronic format you request, and we may charge a reasonable, cost-based fee for copying and mailing records. 
  • We may deny certain requests, and if denied, we will explain the reason in writing. In some cases, you may have the right to request a review of a denial.
  • You can also ask us to share a copy of your PHI with a third party, including a Health Information Exchange (HIE). 
  • We reserve the right to verify your identity and the identity of any third party recipient before accommodating your request.

To Request a Correction of your PHI

If you believe the PHI that we have about you is incorrect or incomplete, you may ask us to correct it. Your written request must describe the desired correction and the reasons you believe it is warranted. We will ordinarily respond within 60 days. We may deny your request - for example, if we did not create the information, or if we believe it is accurate and complete—and will explain any denial in writing. If denied, you have the right to file a statement of disagreement and to request that your original request, our denial, your statement, and our rebuttal be included in future disclosures of your PHI.

To Request Confidential Communications

You may ask us to communicate with you about your PHI only by specific means (such as mail or email only) or at an alternative address. We will accommodate all reasonable requests, but we reserve the right to verify your identity before confirming any alternative contact information.

To Ask Us to Limit What We Use or Share

You have the right to ask us to restrict how we use or disclose your PHI for treatment, payment, or health care operations, and/or what we disclose to someone involved in your care. We are not required to agree to most restriction requests. However, if you or someone on your behalf has paid out-of-pocket and in full for a service, we will agree to your request not to share information about that service with your health insurer for payment or health care operations purposes, unless required by law. 

To Receive a List of Disclosures (Accounting)

You have the right to ask us for a list (an accounting) of certain disclosures of your PHI we have made during the six-year period prior to your request. The list will not include disclosures made for treatment, payment, or health care operations, or certain other disclosures (such as those you authorized). We will provide one free accounting per patient per year; additional requests within 12 months may be subject to a reasonable, cost-based fee.

To Receive Notification of a Breach

You have the right to receive timely notification if a breach of your unsecured PHI occurs. We will notify you no later than 60 days after our discovery of the breach, or sooner as required by applicable law. Our notification will describe the nature of the breach, the types of information involved, steps you can take to protect yourself, and what we are doing to investigate and mitigate any harm resulting from the breach.

To Choose Someone to Act for You

If you have given someone medical power of attorney or if someone is your legal guardian, that person can exercise your rights and make choices about your PHI. We will verify that the person has the right authority and can act for you before we take any action.

To File a Complaint if you Feel your Rights Have Been Violated

  • You can complain if you feel we have violated your privacy rights by contacting us using the information at the end of this Notice.
  • You can file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights by sending a letter to 200 Independence Avenue, S.W., Washington, D.C. 20201, calling (877)-696-6775, or visiting https://www.hhs.gov/hipaa/filing-a-complaint/index.html.
  • We will not retaliate against you for filing a complaint.

Right to Request Sample Destruction and Research Opt-Out

When testing is complete, we may keep and use remaining blood sample materials for internal quality assurance, test validation, and/or other legally permitted purposes. Although HIPAA does not require us to retain or destroy blood samples or other biological materials, we do permit you to request that we destroy your sample after your testing is complete.  You also have the right to opt-out of the use of your sample for research and development. Please note that opt-outs requests will be effective on a going-forward basis only and will not impact any uses or disclosures that occurred prior to our receipt of your opt-out request. To submit a request about how we use your remaining sample, please contact us by phone at (650)-460-2551 or by email at Support@BillionToOne.com.

Your Choices

For certain PHI, you can tell us your choices about what we share. If you have a clear preference for how we share your information in the situations described below, talk to us. Tell us what you want us to do, and we will follow your instructions. In these cases, you have both the right and choice to tell us to:

  • Share information with your family, close friends, or others involved in your care or payment for your care
  • Share information in a disaster relief situation
  • Include your information in a hospital directory

If you are not able to tell us your preference, for example if you are unconscious, we may go ahead and share your information if we believe it is in your best interest. We may also share your information when needed to lessen a serious and imminent threat to health or safety.

We will not sell your PHI and will not use or share it for marketing purposes unless you have given us your permission to do so. In the case of fundraising, we may contact you for fundraising efforts, but you can tell us not to contact you again.

BillionToOne does not operate a substance use disorder (SUD) treatment program and does not anticipate receiving SUD treatment records subject to 42 C.F.R. Part 2 (“Part 2”), which provides special additional privacy protections. In the unlikely event we do receive Part 2 records, we will give you clear and obvious notice in advance and a choice about whether to receive fundraising communications that use your Part 2 information.

Uses and Disclosures of your PHI.

We may use or disclose your PHI for a variety of purposes but always as described in this Notice. As you read this Notice, please keep in mind that:

  • Not every use or disclosure is described in detail in this Notice, but all of our uses or disclosures of your PHI will fall into one of the categories described below.
  • Some of the uses and disclosures described below may be limited or restricted by other global or state laws or other legal requirements, for example, the Clinical Laboratory Improvement Amendments of 1988 (CLIA). Please contact our Privacy Office, using the contact information provided at the end of this Notice, for specific information regarding your country or state of residence.

Typical Uses and Disclosures of your PHI

We will typically use or disclose your PHI in the following ways.

  • To Treat You. We can use your PHI to treat you and disclose it with doctors, other health care professionals, and health care organizations, who are treating you. We may also disclose your PHI to facilitate treatment referrals and/or care coordination.
    Example: We will share your laboratory results with your doctor.
  • To Help Us Run our Organization. We can use and disclose your PHI to support and facilitate certain administrative and management activities necessary to run our laboratory and improve the quality of our services. These include quality assurance, performance improvement, training, audits, and legal and compliance activities. They may also include activities related to the sale, transfer, merger, or consolidation of all or part of our organization with another covered entity, and any related due diligence.
    Example: We use PHI about you to help manage the processes through which you receive treatment and information.
  • To Support Billing and Payment for Your Testing. We can use or disclose your PHI verify your insurance coverage or obtain prior authorization, and to bill and collect payment from you, your insurance company, or other payers. If you are insured under another person’s health insurance policy (such as a parent, spouse, or domestic partner), we may also send billing information to the policyholder whose plan covers your services.
    Example: We give information about you to your health insurance carrier so it will pay for your services.

Other Uses and Disclosures of your PHI 

We are also allowed or required to disclose your information in other ways but, in most cases, we have to meet many legal requirements before we can use or disclose your information for these purposes. For more information see: https://www.hhs.gov/hipaa/for-individuals/guidance-materials-for-consumers/index.html.

Business Associates

We may disclose your PHI to companies or individuals that provide services on our behalf, such as billing, IT support, cloud storage, or courier services. HPAA refers to these individuals and entities as “business associates” and they are required by written contract and by law to maintain the privacy and security of your PHI and to notify us of any improper access, use, or disclosure.

Communications About Our Products and Services

We may use your PHI to contact you about health-related products and services that we offer and that may be of benefit to you. We do not share PHI with “business partners” for the purpose of permitting them to offer you any products, services, or promotions on their behalf and we will not share or disclose your PHI to any third party for that third party’s own marketing or promotional purposes without your separate written authorization.

Individuals Involved in Your Care

If you are not present or unable to indicate your preference about disclosures of PHI to a family member, friend, caregiver, or other individual involved in your health care or payment for your health care, we will use our professional judgment to make disclosure determinations in your best interest and as permitted by law.

Public Health and Safety Activities

We may share your PHI with public health authorities and others to help with public health and safety issues, such as:

  • Preventing or controlling disease, injury, or disability;
  • Helping with product recalls;
  • Reporting adverse reactions to medications or medical devices;
  • Reporting suspected abuse, neglect, or domestic violence to appropriate authorities;
  • Preventing or reducing a serious and imminent threat to anyone’s health or safety.

Health Oversight Activities

We may disclose your PHI to government agencies for health oversight activities authorized by law, including audits, investigations, inspections, licensure and disciplinary actions, and other activities necessary for oversight of the health care system and government programs.

Research

We may use or share your PHI for research purposes, as authorized by HIPAA. We may conduct the research internally at BillionToOne, or in collaboration with external researchers who are obligated by contract and/or HIPAA to protect your PHI. In general, your written authorization is required before your PHI is used or disclosed to others for research. However, we may use or disclose your PHI for research without your authorization if a properly constituted Institutional Review Board or Privacy Board has reviewed the research proposal, established adequate protocols to protect your privacy, and determined that individual authorization is not required. We may also use PHI to help design (but not carry out) research studies, or to identify patients who may be eligible for participation, provided the PHI does not leave our possession. Under certain conditions, we may use or disclose PHI about deceased persons for research purposes.

Workers’ Compensation, Law Enforcement, and Other Government Requests

We may use or share your PHI:

  • For workers’ compensation claims;
  • With law enforcement officials in response to a warrant, court order, administrative demand, or similar legal process, or to help identify or locate a suspect, fugitive, material witness, or missing person; when a law enforcement request is not accompanied by a non-disclosure or gag order, we will seek to confirm that notice has been provided to you as required by applicable law;
  • With the U.S. Food and Drug Administration (FDA) and other health oversight agencies for audit, event reporting, and other activities authorized by law;
  • For specialized government functions such as military command authorities, national security and intelligence organizations, and presidential protective services;
  • With correctional institutions, if you are an inmate or in the custody of a law enforcement official.

Lawsuits and Legal Actions

We may disclose your PHI in response to a court or administrative order, or in response to a subpoena, discovery request, or other lawful legal process. When a legal request is not accompanied by a non-disclosure or gag order, we will seek to confirm that notice has been provided to you, as required by applicable law, before making the disclosure 

Organ and Tissue Donation

We may disclose your PHI to organ procurement organizations or other entities involved in the procurement, banking, or transplantation of organs, eyes, or tissues.

Coroners, Medical Examiners, and Funeral Directors

We may disclose your PHI to a coroner, medical examiner, or funeral director as permitted by law to enable them to carry out their legally authorized duties.

Data Breach Notification

We may use your PHI to provide legally required notices of unauthorized access to, acquisition of, or disclosure of your PHI.

As Otherwise Required by Law

We will share your PHI when required to do so by any other applicable federal, state, or local law, including disclosures to the U.S. Department of Health and Human Services, Office for Civil Rights, when that agency investigates our compliance with HIPAA.

De-Identification of PHI and Limited Data Sets

We may use your PHI to create “de-identified” information by removing or coding identifiers that could reasonably be used to identify you, in accordance with HIPAA’s de-identification standards. Once information has been properly de-identified as required by law, it is no longer PHI and is not subject to this Notice. We may use and share de-identified information for any lawful purpose including, among others, those listed below. But we will not attempt to re-identify de-identified information, and when we disclose de-identified information to third parties, we will require by contract that those parties also refrain from attempting to re-identify it:

  • To develop and improve our genetic tests and testing methodologies;
  • To contribute to our variant classification program;
  • To conduct or support clinical research or studies (alone or in collaboration with others), the results of which may be published in peer-reviewed journals;
  • To contribute to publicly available genomic databases which benefit the broader scientific and clinical community.

We may also create “limited data sets” – which are sets of PHI with most direct identifiers removed – and use or disclose them for research, health care operations, or public health purposes. We will only disclose a limited data set pursuant to a HIPAA-compliant data use agreement that obligates the recipient to maintain appropriate safeguards.

Incidental Uses and Disclosures

Sometimes your PHI may be incidentally used or disclosed in the course of permitted primary uses and disclosures, such as for treatment, payment, or health care operations. We are permitted to make such incidental uses and disclosures, provided we have implemented reasonable safeguards to protect your privacy and take reasonable steps to minimize the amount of PHI involved.

Special Considerations for Highly Sensitive Information

For some types of medical information that are particularly sensitive (e.g., certain genetic testing, HIV/AIDS, and psychotherapy, substance abuse, and sexual assault, information), federal or state law may require your written permission or, in some cases, a court order, to disclose that information. While BillionToOne does provide genetic testing and related results, it typically does not collect or retain these other types of information as part of your medical record. We will comply with applicable laws with respect to the disclosure of highly sensitive information.

Sales and Marketing

We do not sell your PHI, and we will not use or share it for marketing purposes unless you have given us your permission to do so.

Our Responsibilities

BillionToOne is required by law to:

  • Maintain the privacy and security of your PHI;
  • Provide you with this Notice describing our legal duties and privacy practices;
  • Adhere to HIPAA’s “Minimum Necessary” standard which generally requires that we make reasonable efforts to limit the use or disclosure of your PHI to the minimum amount necessary to accomplish the intended purpose;
  • Notify you promptly - and no later than 60 days after discovery - if a breach occurs that may have compromised the privacy or security of your unsecured PHI;
  • Follow the terms of this Notice while it is in effect;
  • Not use or share your PHI other than as described in this Notice, unless you authorize us to do so in writing. If you give us written authorization, you may revoke it at any time.

How We Protect Your Information

We have and will continue to implement material physical, administrative, and technical safeguards designed to protect the privacy and security of your PHI against reasonably anticipated threats or hazards to its security or integrity and against unauthorized uses or disclosures. We comply with all applicable HIPAA requirements and state level privacy regulations. We will not sell your PHI to, or share it for marketing purposes with, any third party, without your explicit written authorization. If a breach occurs that may have compromised the privacy or security of your PHI, we will comply with all applicable federal and state notification requirements.

How We Contact You

We may contact you through your registered Patient Portal account or by email, cellular or home telephone, text message, automatic telephone dialing system, pre-recorded or synthetic voice message, or computer-assisted technology, regarding your testing, test results, treatment options, billing and collection matters, health-related products and services, studies, or other information relating to your health care. When we contact you in this manner, you will be given the opportunity to opt out of receiving similar communications going forward.

Your consent to receive text messages is not required as a condition of purchasing or using any of our products or services. We do not charge separately for our texting programs; however, your mobile carrier's standard message and data rates may apply.

Our communications may include, but are not limited to, information about: appointment or collection logistics; the status of your test order; test results; billing; research and clinical study opportunities; our products and services; treatment alternatives that may be of interest to you; and regulatory notices provided in lieu of first-class mail.

There are inherent risks related to the use of text and email communication to transmit PHI, including the risk that the message could be inadvertently or intentionally accessed by unauthorized parties in transit. Those risks increase with the use of unencrypted electronic communications. We take steps to limit the amount of PHI included in electronic communications and to initiate transmissions of PHI to encrypted platforms, but if you choose to contact us by text or email, you are assuming those and other related electronic communication risks.

How to Communicate Your Choices and Exercise Your Rights

If You have established a Patient Portal account, you can update your communication preferences (i.e., email, SMS or automated phone calls), including opting out of receipt of text messages, emails and automated phone calls for all purposes (i.e. to include appointment reminders, billing, research opportunities, marketing communications relating to our products and services, treatment alternatives, etc.) in your Patient Portal account. You can access your Patient Portal at https://results.unityscreen.com/client/login.

If you don’t have a Patient Portal account, you can opt-out of receipt of text messages, emails and automated phone calls for all purposes (i.e. to include appointment reminders, billing, research opportunities, marketing communications relating to our products and services, treatment alternatives, etc.), by calling us at (650) 460-2551 or emailing us at Support@BillionToOne.com

You can communicate with us about any other privacy related requests or questions by calling us at (650) 460-2551 or emailing us at Privacy@BillionToOne.com.

Additional Rights for California Residents

If you are a California resident, you have additional rights under the California Confidentiality of Medical Information Act (CMIA) and other California laws that are more protective than HIPAA in certain respects:

Right to access records promptly. Under the CMIA, we must provide access to your records within 5 business days of your request, which is faster than the federal HIPAA standard.

Special protections for sensitive information. California law provides enhanced protections for certain categories of sensitive health information, including mental health records, HIV/AIDS status, substance use disorder treatment records, reproductive health information, and sexual and reproductive health information. Disclosure of such information without authorization may be subject to civil and criminal penalties under California law.

California reproductive health privacy protections. California law provides independent protections for reproductive health information beyond those available under federal HIPAA. Under the California Confidentiality of Medical Information Act (CMIA), reproductive health information is a protected category of medical information, and we will not disclose your reproductive health information without your written authorization except as required by law. In addition, under California Health & Safety Code § 123462 and related provisions, BillionToOne will not disclose information about reproductive health care you have sought or received in California to any person or entity for purposes of investigation or imposition of liability arising from that care. 

Protection from immigration enforcement. Under California SB 81 (effective September 20, 2025), which amends the CMIA, your immigration status and place of birth are classified as protected medical information. We will not voluntarily disclose this information—or any other PHI—to federal immigration enforcement agencies except where expressly authorized by you in writing, required by a valid court order or judicial warrant, or otherwise required by law. This protection applies regardless of your immigration status.

Minor patients’ confidentiality. Under California law, minors who consent to certain health care services (including services related to sexual health, substance use, or mental health) have the right to have that information kept confidential from parents or guardians, as set forth in California Health & Safety Code § 123115 and related statutes. We will comply with all applicable California minor confidentiality requirements.

Right to know about disclosures. California law may provide you with additional rights to receive information about categories of third parties with whom your medical information has been shared and the purposes for such sharing.

Special Protections for Genetic Information

BillionToOne is a clinical genetic testing laboratory whose tests are ordered by licensed health care providers for diagnosis and treatment of medical conditions. As a HIPAA-covered entity providing physician-ordered clinical testing, we are generally exempt from the California Genetic Information Privacy Act (GIPA), Cal. Civ. Code §§ 56.18 et seq., which applies primarily to direct-to-consumer genetic testing companies. Your genetic data is protected as PHI under HIPAA and as medical information under CMIA. Notwithstanding any exemption, BillionToOne is committed to the following standards for your genetic information:

  • What is genetic data? For purposes of this section, “genetic data” means any data that results from the analysis of a biological sample from you and that concerns your genetic characteristics, including raw sequencing data, genetic variants, and test results.
  • Use limited to the primary purpose. We will use your genetic data only to provide the testing services ordered by your health care provider, to carry out related treatment, payment, and health care operations, and as otherwise permitted by HIPAA and California law. We will obtain your written authorization before using or disclosing your genetic data for any other purpose, including research, product development, or secondary commercial use.
  • No sale of genetic data. We will not sell, lease, or otherwise transfer your genetic data, de-identified genetic data, or any data derived from your biological sample to any third party for commercial purposes, except as required by law or with your explicit written authorization.
  • No disclosure to insurers or employers without authorization. We will not disclose your genetic data to health insurance companies, life insurance companies, or employers for underwriting, eligibility, or employment purposes without your written authorization.
  • Research. We will not disclose your identifiable genetic data for research purposes outside BillionToOne without your prior written authorization, or unless the research has been reviewed and approved under applicable federal and state research protections.
  • Complaints. If you believe your genetic information has been misused, you may file a complaint with us or, depending on the nature of the concern, with the U.S. Department of Health and Human Services, the California Department of Public Health, or the California Attorney General. You will not face retaliation for filing a complaint.

Record Retention

We will retain PHI contained in your medical and billing records in accordance with applicable federal and California law. California law generally requires retention of adult patient records for a minimum of 7 years from the date of service; records of minor patients are retained until the minor reaches age 19, or for 7 years from the date of service, whichever is longer.

Notice About Redisclosure

Important: When BillionToOne discloses your PHI to another party in accordance with HIPAA (for example, to a health care provider, health plan, or business associate), that information may be subject to redisclosure by the recipient. Once your PHI is in the hands of a third party, it may no longer be protected by HIPAA as to that recipient, and additional restrictions may or may not apply depending on the recipient’s applicable legal obligations. If you have concerns about how a recipient may use your information, we encourage you to inquire directly with that party about their privacy practices.

Compliance with Laws

If more than one law applies to your health information - such as a more protective state or local law - we will follow the more protective standard. Some state laws, like California - are more protective than federal HIPAA requirements in certain areas including, among others, genetic information, reproductive health, and patient access to records, and we comply with those more stringent requirements. Some of the uses and disclosures described in this Notice may be further limited by other applicable laws, including the Clinical Laboratory Improvement Amendments of 1988 (CLIA).

Changes to This Notice of Privacy Practices

We reserve the right to change our privacy practices and this Notice at any time. Any revised Notice will be effective for all PHI we maintain, including PHI created or received before the effective date of the revision. When we make material changes, the revised Notice of Privacy Practices will be posted on our website and made available upon request. The effective date of the most recent revision is identified at the top of this document.

Non-Discrimination Notice

BillionToOne complies with applicable federal civil rights laws and does not discriminate against, exclude, or treat patients differently on the basis of race, color, national origin, age, disability, or sex. We provide reasonable modifications for qualified individuals with disabilities and language assistance services free of charge to individuals whose primary language is not English. If you need these services, please contact us at (650) 460-2551 or Support@BillionToOne.com.

If you believe that BillionToOne has failed to provide these services or otherwise discriminated in the provision of services, you may file a grievance with us using the contact information below, or file a civil rights complaint with the U.S. Department of Health and Human Services, Office for Civil Rights, at:

  • Online: https://ocrportal.hhs.gov/ocr/portal/lobby.jsf
  • Mail: U.S. Department of Health and Human Services, 200 Independence Avenue SW, Room 509F, Washington, D.C. 20201
  • Phone: (800) 368-1019; TDD: (800) 537-7697

Questions and Complaints 

BillionToOne is committed to resolving questions and concerns about your privacy. If you believe your privacy rights have been violated, you have the right to file a complaint with us. You also have the right to file a complaint with the Secretary of the U.S. Department of Health and Human Services, Office for Civil Rights. We will not retaliate against any individual for filing a complaint. To file a complaint with us, or if you have any questions about this Notice or our privacy practices, send an email to us at Privacy@BillionToOne.com or write to us at the following address:

BillionToOne, Inc.
Attention: Privacy Officer
1035 O’Brien Drive
Menlo Park, CA 94025

You may also contact the Privacy Officer by phone at (650) 460-2551.