How do we keep your information secure?
We follow HIPAA privacy and security requirements to ensure your data is secure in every way.
Our users must verify their personal identity with a government-issued ID before accessing their records, so only you can access your data.
Your health data is secured and encrypted at rest using industry-standard encryption algorithms backed by 256 bit-encryption.
Your privacy matters
We will never share your health data, without your explicit consent.
You can request we delete all stored health data at any time.
HIPAA at Polygon Health
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. The US Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement the requirements of HIPAA. The HIPAA Security Rule protects a subset of information covered by the Privacy Rule.
HIPAA gives users the rights to access their own health information, and is what allows Polygon Health to help you retrieve your records from providers.
Confidential and Protected
Standards We Hold Ourself To:
We hold ourselves to follow the CARIN Code of Conduct Accreditation Program set fourth by EHNAC.
I. CARIN Transparency
1D. We proactively provide clear updates to users when privacy policies or practices have changed.
1E. We use the ONC’s Model Privacy Notice (MPN) and the CARIN questionnaire as a resource when developing the privacy policies of the application.
1F. We are clear with users regarding whether personal data is collected, or it is disclosed to third parties, on a one-time basis or persistently collected (and if so, for what duration) and allow the user rights to change those options consistent with the candidate's consent policies. We empower users to decide if and when they would like to share their health data with vetted researchers.
1G. We are clear with users regarding their rights (or lack thereof) to change or annotate personal data or to disclose portions of their personal data and whether any such changes, annotations, or notices of lack of completeness are communicated to any downstream recipients authorized by the user.
1H. We explain what will happen to the user’s personal data after they withdraw their consent if the user does not exercise his or her right to have the personal data securely disposed of.
1J. We are clear with users regarding its policies regarding dormant or closed accounts.
2. CARIN Consent
2A. We avoid default personal data sharing by obtaining INFORMED, PROACTIVE CONSENT from users in advance of personal data disclosure with such consent clearly describing how user personal data will be collected, used, and disclosed.
2B. We must obtain separate, informed, proactive opt-in consent to use or disclose personal data from any individual or other individual identified in the personal data for marketing purposes. (For example, Individual A’s consent does not extend to Individual B who may be referenced in Individual A’s personal data.)
2C. We comply with the Children’s Online Privacy Protection Act that is defined by applicable law.
2E. We provide users with an easy process for how to withdraw their consent with the application used to access personal data and clearly communicate those processes.
2F. We allow the user to always indicate the destination for disclosing their personal data.
3. CARIN Use & Disclosure
3A. We contractually bind third-party vendors and contractors to candidate's commitments to users regarding use or disclosure of user data (pursuant to Section 2 of the Code) and prohibit uses or disclosures of user data for any purposes not consistent with those commitments without informed, proactive consent from the user.
3B. We except for the contracted third-party vendors identified above or as required by law, prohibit the use or disclosure of user personal data without user consent.
3C. We limit the collection of personal data to only what the user has expressly consented that the application can collect.
3D. We collect, use, and disclose personal data in ways that are consistent with reasonable user expectations given the context in which the users provided (or authorized the provision of) the health information.
4. CARIN Individual Access
4A. We provide the ability for users to access all personal data about the user collected by the application and a clear, easy process for requesting corrections to any inaccurate data.
4B. We establish and clearly communicate to users clear policies for how the application will handle personal data it collects that may not be timely, accurate, relevant, or complete.
4C. We upon user request, securely dispose of the user’s personal data completely and indefinitely to allow the user the “right to be forgotten” with respect to any future uses or disclosures of user’s personal data.
5. CARIN Security
5A. We follow safeguards consistent with the responsible stewardship associated with protection of a user’s personal data against risks such as loss or unauthorized access, use, alteration, destruction, unauthorized annotation, or disclosure.
5B. We store and retain personal data in a manner consistent with the best practices associated with the protection of personal data.
5C. We protect personal data through a combination of mechanisms including, at a minimum: secure storage, encryption of digital records both in transit and at rest, data-use agreements and contractual obligations, and accountability measures (e.g., access controls and logs and independent audits) that could be made available to the user.
5D. We comply with applicable breach notification laws and provide meaningful remedies to address security breaches, privacy, or other violations incurred because of misuse of the user’s personal data.
5E. When requesting a copy of their health data from a HIPAA designated record set maintained by a health care provider, health plan, or health information exchange by 1) relying on a health care provider or health plan portal identity credential using SMART or accept a digital identity credential for the user that is at least NIST Identity Assurance Level 2 (IAL2) and Authenticator Assurance Level 2 (AAL2) and 2) clearly indicating the destination for sending the personal data.
5F. We adopt internal policies and secure contractual commitments with third parties to prohibit the re-identification of de-identified or anonymized data.
5G. We establish and implement a policy for how to handle dormant user accounts.
6. CARIN Provenance
6A. We where possible, as data is changed, continue to maintain the provenance of the data to provide users, their caregivers, and authorized recipients information about who or what entity originally supplied the data and, where relevant, who made changes to the data, and what changes were made.
6B. We comply with all applicable federal and state laws.
6C. We designate a responsible executive officer within the company who is committed to these data principles and ensure these commitments are publicly facing to allow oversight enforcement by the Federal Trade Commission (FTC), State Attorneys General, or other applicable authorities.
6D. We establish and clearly communicate a process for collecting and responding to user complaints.
6E. We train our staff on these principles and ensure compliance by regularly evaluating its performance internally.
6F. We will notify the public when it has received any certification or accreditation from any independent certifying organizations (and indicate the timing/duration of such certifications).
7. CARIN Education
7A. We will inform users about their personal data disclosure choices and the consequences of those choices including the risks, benefits, and limitations of data disclosure by providing educational materials or pointing to appropriate third-party resources.