top of page
Copy of Gum Post-15.png

We keep your health data private and secure, and put you in control.

We follow HIPAA, Federal, and State laws to ensure your health data is secure at all times.

Copy of Gum Post-12.png

Privacy and Security Promise

We commit to clarity and openness in our operations. We crafted a privacy policy and terms of service in clear and straightforward language. At any given time, you can contact us at to delete your account and the data associated with it.

How do we keep your information secure?

We follow HIPAA privacy and security requirements to ensure your data is secure in every way.

Our users must verify their personal identity with a government-issued ID before accessing their records, so only you can access your data.

Your health data is secured and encrypted at rest using industry-standard encryption algorithms backed by 256 bit-encryption.

We launched our-13.png

Your privacy matters

We will never share your health data, without your explicit consent.

You can request we delete all stored health data at any time.

HIPAA at Polygon Health

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. The US Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement the requirements of HIPAA. The HIPAA Security Rule protects a subset of information covered by the Privacy Rule.

HIPAA gives users the rights to access their own health information, and is what allows Polygon Health to help you retrieve your records from providers.

Copy of Gum Post-12.png

Confidential and Protected

We understand the importance of keeping your health data confidential and protected. If you still have questions, please check out our privacy policy and terms of service policy. don't hesitate to reach out to us at, and we will respond shortly.

Standards We Hold Ourself To:

We hold ourselves to follow the CARIN Code of Conduct Accreditation Program set fourth by EHNAC.

I. CARIN Transparency

The Principle of Openness, which provides that the existence of record-keeping systems and databanks containing data about individuals be publicly known, along with a description of main purpose and uses of the data. To learn more, go to our privacy policy.

1A. We have a privacy policy that is based on industry best practices and is prominent, publicly accessible, and easy to read (i.e., written in lay language) and that addresses all of the issues addressed in this framework.

1B. We ensure our privacy policy specifies our Company’s data collection, consent, use, disclosure, access, security, and retention/deletion practices, including the use and disclosure of personal data as well as of de-identified, or pseudonymized information. To learn more about how we store your data and how you can delete your health data, go to our privacy policy.

1C. We address in our privacy policy when personal data disclosure could have an impact on others (such as the impact of disclosing genetic or family history information on relatives).

1D. We proactively provide clear updates to users when privacy policies or practices have changed.

1E. We use the ONC’s Model Privacy Notice (MPN) and the CARIN questionnaire as a resource when developing the privacy policies of the application.

1F. We are clear with users regarding whether personal data is collected, or it is disclosed to third parties, on a one-time basis or persistently collected (and if so, for what duration) and allow the user rights to change those options consistent with the candidate's consent policies. We empower users to decide if and when they would like to share their health data with vetted researchers.

1G. We are clear with users regarding their rights (or lack thereof) to change or annotate personal data or to disclose portions of their personal data and whether any such changes, annotations, or notices of lack of completeness are communicated to any downstream recipients authorized by the user.

1H. We explain what will happen to the user’s personal data after they withdraw their consent if the user does not exercise his or her right to have the personal data securely disposed of.

1I. We specify in our privacy policy what will happen to a user’s personal data in the event of a transfer of ownership or in the case of a company ending or selling its business, and provide the user with at least one of the following options: (i) securely dispose of, transmit, or download their personal data, (ii) ensure the successor entity commitments are consistent with the organization’s then-existing privacy policy, or (iii) allow the user the option to close their account.

1J. We are clear with users regarding its policies regarding dormant or closed accounts.

2. CARIN Consent

2A. We avoid default personal data sharing by obtaining INFORMED, PROACTIVE CONSENT from users in advance of personal data disclosure with such consent clearly describing how user personal data will be collected, used, and disclosed.

2B. We must obtain separate, informed, proactive opt-in consent to use or disclose personal data from any individual or other individual identified in the personal data for marketing purposes. (For example, Individual A’s consent does not extend to Individual B who may be referenced in Individual A’s personal data.)

2C. We comply with the Children’s Online Privacy Protection Act that is defined by applicable law.

2D. We provide users with advance notice of its privacy policy changes and allow the user to affirm their consent to the updated privacy policy changes in order to continue to use and disclose their personal data with the application or give user the option to withdraw consent or close the account.

2E. We provide users with an easy process for how to withdraw their consent with the application used to access personal data and clearly communicate those processes.

2F. We allow the user to always indicate the destination for disclosing their personal data.

3. CARIN Use & Disclosure

3A.  We contractually bind third-party vendors and contractors to candidate's commitments to users regarding use or disclosure of user data (pursuant to Section 2 of the Code) and prohibit uses or disclosures of user data for any purposes not consistent with those commitments without informed, proactive consent from the user.

3B. We except for the contracted third-party vendors identified above or as required by law, prohibit the use or disclosure of user personal data without user consent.

3C. We limit the collection of personal data to only what the user has expressly consented that the application can collect.

3D. We collect, use, and disclose personal data in ways that are consistent with reasonable user expectations given the context in which the users provided (or authorized the provision of) the health information.

4. CARIN Individual Access

4A. We provide the ability for users to access all personal data about the user collected by the application and a clear, easy process for requesting corrections to any inaccurate data.

4B. We establish and clearly communicate to users clear policies for how the application will handle personal data it collects that may not be timely, accurate, relevant, or complete.

4C. We upon user request, securely dispose of the user’s personal data completely and indefinitely to allow the user the “right to be forgotten” with respect to any future uses or disclosures of user’s personal data.

5. CARIN Security

5A. We follow safeguards consistent with the responsible stewardship associated with protection of a user’s personal data against risks such as loss or unauthorized access, use, alteration, destruction, unauthorized annotation, or disclosure.

5B. We store and retain personal data in a manner consistent with the best practices associated with the protection of personal data.

5C.  We protect personal data through a combination of mechanisms including, at a minimum: secure storage, encryption of digital records both in transit and at rest, data-use agreements and contractual obligations, and accountability measures (e.g., access controls and logs and independent audits) that could be made available to the user.

5D. We comply with applicable breach notification laws and provide meaningful remedies to address security breaches, privacy, or other violations incurred because of misuse of the user’s personal data.

5E. When requesting a copy of their health data from a HIPAA designated record set maintained by a health care provider, health plan, or health information exchange by 1) relying on a health care provider or health plan portal identity credential using SMART or accept a digital identity credential for the user that is at least NIST Identity Assurance Level 2 (IAL2) and Authenticator Assurance Level 2 (AAL2) and 2) clearly indicating the destination for sending the personal data.

5F. We adopt internal policies and secure contractual commitments with third parties to prohibit the re-identification of de-identified or anonymized data.

5G. We establish and implement a policy for how to handle dormant user accounts.

6. CARIN Provenance

6A. We where possible, as data is changed, continue to maintain the provenance of the data to provide users, their caregivers, and authorized recipients information about who or what entity originally supplied the data and, where relevant, who made changes to the data, and what changes were made.

6B. We comply with all applicable federal and state laws.

6C. We designate a responsible executive officer within the company who is committed to these data principles and ensure these commitments are publicly facing to allow oversight enforcement by the Federal Trade Commission (FTC), State Attorneys General, or other applicable authorities.

6D.  We establish and clearly communicate a process for collecting and responding to user complaints.

6E. We train our staff on these principles and ensure compliance by regularly evaluating its performance internally.

6F. We will notify the public when it has received any certification or accreditation from any independent certifying organizations (and indicate the timing/duration of such certifications).

7. CARIN Education

7A. We will inform users about their personal data disclosure choices and the consequences of those choices including the risks, benefits, and limitations of data disclosure by providing educational materials or pointing to appropriate third-party resources.

Copy of Gum Post-12.png

Privacy Matters.

We understand the importance of keeping your health data confidential and protected. If you still have questions, please check out our privacy policy and terms of service policy. don't hesitate to reach out to us at, and we will respond shortly.

bottom of page