Polygon Health

Polygon Health: 🛡️ Privacy and Security Notice
 

Effective Date: April 27, 2026 (Material changes will be listed here with their own effective dates.)

 

Polygon Health, Inc. (“Polygon Health,” “we,” “our,” or “us”) provides Individual Access Services (“IAS”) that allow you to request and receive your health information through our application, website, or other interfaces. This Privacy and Security Notice (“Notice”) explains how we collect, use, disclose, protect, and retain your Individually Identifiable Information (“III”), and your rights under the Trusted Exchange Framework and Common Agreement (“TEFCA”).

 

We follow the Common Agreement, the IAS Provider Requirements SOP, the Participant and Subparticipant Terms of Participation, and all applicable laws.

 

1. Availability of This Notice

We make this Notice publicly available at all times:

• It is posted on our website and in all user-facing applications.

• Updated versions are posted before their effective date.

• Material changes are clearly marked.

• Updated versions are proactively provided to enrolled Individuals based on their communication preferences.

• If there is a dispute about whether a change was “material,” Polygon Health bears the burden of proving it was not.
   

2. Contacting Polygon Health

You may contact us with questions or privacy-related complaints:

• Email: contact@polygonhealth.com

• Mailing Address: One Broadway, 14th Floor, Cambridge, MA 02142

• Phone for general questions: +1 866-778-8865

• Toll-free number for IAS Incident contact: +1 866-778-8865

• In-App Support: Available in all user-facing applications

We maintain a documented process for tracking complaints and our responses.

 

3. Information We Collect and How We Use It
 

3.1 👤 Information We Collect

To provide IAS, we collect:

• Name

• Date of birth

• Address

• Contact information

• Identity verification information (via CLEAR)

• Health information retrieved through TEFCA Exchange via KNO2

• Account and authentication information (via AWS Cognito)

• Device and usage information

• Any other information you provide
   

3.2 📋 How We Use Your Information

We use your information to:

• Verify your identity

• Retrieve your TEFCA health information

• Present and summarize your health information

• Manage your account

• Secure and maintain our systems

• Respond to your requests

• Comply with legal obligations

We do not use your information to assert claims against you.

 

4. How Your Information Is Accessed, Used, and Disclosed

Polygon Health is a Request-Only IAS Provider.

REQUEST-ONLY IAS PROVIDER: POLYGON HEALTH DOES NOT PROVIDE BIDIRECTIONAL SERVICES. YOU WILL HAVE THE ABILITY TO REQUEST ACCESS TO YOUR HEALTH INFORMATION VIA TEFCA EXCHANGE. YOU WILL NOT BE ABLE TO USE POLYGON HEALTH TO SHARE YOUR HEALTH INFORMATION WITH OTHER PARTICIPANTS IN TEFCA.

 

4.1 🌐 Disclosures to Third Parties

We disclose your information only to:

• KNO2, to retrieve your TEFCA health records

• CLEAR, for identity verification

• AWS, for secure hosting and authentication

• Operational service providers (e.g., logging, security monitoring, analytics)

• Research partners, but only if you opt in and only after your data is de-identified

• Law enforcement, if required by law

We do not disclose identifiable TEFCA data to any TEFCA Participant other than KNO2.

 

4.2 🧪 Uses Outside Our Direct Control

If you opt into a research program:

• Only de-identified data is shared

• Research partners may use it only for approved research

• They are contractually prohibited from re-identifying you
   

4.3 ⏰ Retention

We retain your information only while you maintain an IAS account. Audit logs are retained as required by TEFCA.

 

4.4 🎭 De-identification

If you participate in research:

• We remove all 18 HIPAA Safe Harbor identifiers

• We store TEFCA data using an internal identifier that cannot be linked back to you without authentication

• Only de-identified data is shared unless you explicitly consent otherwise

 

4.5 🔗 TEFCA-Permitted Uses

All disclosures through TEFCA are made only in accordance with the permitted and required Uses and Disclosures specified in the Common Agreement and applicable HHS guidance.

 

4.6 ⚖️ HIPAA Status

Polygon Health is not a HIPAA-regulated entity.

 

4.7 ⚠️ Legal Demands

We notify you within three (3) business days if:

• We receive a subpoena, warrant, or court order for your information

• We make your information available to law enforcement

• Unless prohibited by law, you may object or seek a protective order.

5. 🔒 Our Security Practices

We:

• Use commercially reasonable efforts to prevent unauthorized access, modification, use, or destruction

• Encrypt all III in transit and at rest

• Use CLEAR for identity verification

• Use AWS Cognito for authentication

• Maintain secure logging via PostgreSQL

• Require third-party service providers to follow strong privacy and security practices

• Notify you if your information is reasonably believed to have been affected by an IAS Incident

Our obligations under this Notice continue as long as we maintain your Individually Identifiable Information.

 

6. ✅ Your Consent

We obtain your express, documented, informed consent:

• Before you use Polygon Health’s IAS

• Before using your information in any materially different way

• Before implementing any material change to this Notice

• Before sharing de-identified data with research partners

We maintain an auditable log of all consents.

 

7. ↩️ Revoking Your Consent

You may revoke your consent at any time.

 

7.1 Step-by-Step Revocation Instructions

1. Go to Account Settings

2. Delete your account

3. Upon deletion, your Health Wallet consent and data will be deleted

Revocation:

• All data will be deleted

These instructions are also posted on our website in a stand-alone, conspicuous location.

 

8. 🧾 Your Rights

You have the right to:
 

8.1 Delete Your Information

You may require us to delete all III we maintain about you, except audit logs.
 

8.2 Access Your Information

You may access all information we maintain about you through your account.
 

8.3 Export Your Information

You may export your information in a machine-readable format. If you participate in research, you may also export your de-identified dataset.

8.4 Receive IAS Incident Notifications

We notify you without unreasonable delay if your information is reasonably believed to have been affected by an IAS Incident.

8.5 Your Choices

You may choose:

• Whether to participate in research

• Whether to delete your information

• Whether to export your information

Because Polygon Health is Request-Only:

• You cannot use Polygon Health to share your information with TEFCA Participants

• XP-code sharing choices do not apply
   

8.6 How to Exercise Your Rights (Conspicuously Displayed)

• Access: App → Records → View All

• Export: App → Records → Export → Choose Format

• Delete: App → Settings → Privacy → Delete My Data

• Incident Notices: Delivered via your communication preferences

If any law prevents us from honoring your request, we will inform you.

 

9. 💲 Fees

Polygon Health does not charge any fees for IAS, including:

• Account creation

• Identity verification

• Retrieval of TEFCA data

• Display and summarization

• Export

• Deletion

• Incident notifications

• Revocation of consent

If fees are ever introduced:

• A detailed fee schedule will be added to this Notice

• You will be notified before fees take effect

• Your express consent will be required

 

10. 🚫 Sale, Marketing, or Targeted Advertising

Polygon Health does not:

• Sell your data

• Exchange your data for remuneration

• Use your data for targeted advertising

• If this ever changes, we will obtain separate, express consent.

 

11. 🚨  IAS Incident Response
 

11.1 Definition of an IAS Incident

An IAS Incident includes:

• Unauthorized access, acquisition, use, disclosure, modification, or destruction of III

• A TEFCA Security Incident

• A breach of unencrypted III

• Loss or compromise of credentials used to access TEFCA

• Any event that disrupts our ability to provide IAS
   

11.2 Detection

We detect potential IAS Incidents through:

• Cloud infrastructure alerts

• Reports from KNO2 or other TEFCA Participants

• Reports from individuals, employees, or service providers

• Anomalies in TEFCA transactions
   

11.3 Containment and Investigation

We:

• Contain the incident

• Secure affected systems

• Preserve logs and evidence

• Conduct a documented investigation

• Assess scope, timing, and impact

• Coordinate with KNO2 and follow QHIN instructions
   

11.4 Notification to Individuals

If your III is reasonably believed to have been affected, we notify you without unreasonable delay.

The notice includes:

• What happened

• What information was involved

• How it was discovered

• Steps you should take

• What we are doing to mitigate and prevent recurrence

• Contact information

 

11.5 Notification to KNO2, QHINs, and the RCE

We notify:

• KNO2

• The QHIN (if required)

• The RCE (if thresholds are met)

Within required timelines:

• 24 hours for severe incidents

• 5 business days for other reportable incidents
   

11.6 TEFCA-Wide Coordination

We:

• Participate in joint investigations

• Provide logs and system information

• Follow directives

• Support root cause analysis

• Implement corrective actions
   

11.7 Mitigation and Remediation

We:

• Remediate vulnerabilities

• Reset compromised credentials

• Patch systems

• Enhance monitoring

• Provide additional training

• Validate corrective actions
   

11.8 Documentation and Retention

We maintain detailed records of:

• The incident

• Investigation steps

• Notifications

• Communications

• Mitigation

• Final resolution

Records are retained as required by TEFCA.

11.9 No Waiver of Rights

Nothing in this section limits your rights under TEFCA or applicable law.

12. Additional Resources

We follow guidance from:

• CARIN Alliance

• CMS

• Digital Medicine Society (DiMe)

• FTC

• HHS

• Federal Plain Language Guidelines

• Other recognized privacy and security frameworks