Privacy Policy

Last updated: [[Dec 01, 2025]]

This Privacy Policy explains how Equipo Health, Inc. (“Equipo”, “we”, “us” or “our”) collects, uses, discloses, and protects information when you use the Equipo or Contigo application, related websites, and services (collectively, the “Services”).

We understand that the information we process may include Protected Health Information (“PHI”) and other sensitive personal data. We are committed to protecting this information and complying with applicable U.S. laws, including the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and its implementing regulations, where they apply to our activities.

By using or accessing the Services, you acknowledge that you have read, understood, and agree to the practices outlined in this Privacy Policy. If you do not agree, please do not use the Services.

1. Who We Are and Our Role Under HIPAA

Equipo Health, Inc. provides technology and workflow solutions to healthcare organizations, including providers, clinics, health systems, accountable care organizations (ACOs), payers, and other covered entities and their business associates (collectively, “Clients”). The Services support:

Population health management and risk stratification
Care coordination and case management workflows
Scheduling and appointment management
Patient engagement, education, and communication

When Equipo Health processes data on behalf of Clients—including PHI—we generally act as a Business Associate under HIPAA. In this role, our use and disclosure of PHI is governed by:

This Privacy Policy
Business Associate Agreements (BAAs) with Clients
Applicable federal and state healthcare privacy laws

2. Information We Collect

2.1 Personal & Patient Information

Identifiers: Name, date of birth, gender, contact details (email, phone, address)
Unique patient identifiers, health system IDs, or insurance numbers
Caregiver or family contact details, where applicable

2.2 Protected Health Information (PHI)

Protected Health Information includes, but is not limited to:

Medical and Clinical Data : Medical histories, diagnoses, treatment records, allergies, medications, provider and facility details, clinical notes, and documentation.
Administrative and Encounter Data : Scheduling and encounter data, reminders, follow-up details, care plan participation, care gap closure, and outreach activity.
Patient-Reported Data : Patient-reported symptoms, surveys, self-assessments, and questionnaires.
Analytical Data : Risk scores, chronic condition indicators, and population health metrics.
Activity and Vitals Data (including from Device Integration) : This includes data collected or synchronized from integrated devices or platforms like Health Connect by Android, where permitted by your provider and with your consent. Specifically, the application may use:
Activity : Steps, distance travelled, total calories burned, and active calories burned.
Vitals : Heart rate, resting heart rate, heart rate variability, blood pressure, blood glucose, oxygen saturation, respiratory rate, and body temperature.
Body Metrics : Height, weight, and basal metabolic rate.
Wellness : Sleep data.
Historical Data : Health data history across all of the above categories.

2.3 Technical & Usage Data

IP address, device identifiers, operating system, browser type, app version
Login timestamps, session identifiers, and access logs
Pages or features accessed, clickstream data, interaction logs
Error logs, performance logs, and security logs
Cookies and similar technologies (when using web properties)
Metadata related to the use of data access APIs, such as Health Connect.

3. How We Use Information

3.1 Delivery of Services

To operate, maintain, and secure the Equipo or Contigo platform and related Services
To support patient engagement, care coordination, and case management
To enable scheduling, appointment reminders, and follow-up workflows
To provide dashboards, alerts, and reports to authorized Client users

To display, track, and monitor health metrics, including activity and vitals data, to you and your authorized care team to support your care plan.

3.2 Population Health & Care Management

To assist Clients with chronic care programs, outreach, and risk stratification
To support quality and value-based programs (e.g., care gaps, utilization, outcomes)

3.3 Security, Compliance, and Legal Obligations

To monitor for unauthorized access, prevent fraud, and ensure system integrity
To comply with HIPAA, HITECH, and other legal and regulatory requirements
To enforce our agreements and protect the rights, safety, and property of Equipo, our Clients, and users

3.4 De-identified & Aggregated Analytics

We may use de-identified or aggregated data for analytics, research, reporting, and performance metrics—provided it no longer identifies any individual. De-identification is performed in accordance with HIPAA requirements.

4. How We Share Information

We do not sell your PHI.

We may share information:

With your healthcare providers, health plans, and authorized care teams for treatment, payment, and healthcare operations
With authorized caregivers or guardians, where permitted by law or with your consent
With vetted service providers (e.g., cloud hosting, messaging, analytics, monitoring) that act as subcontractors under HIPAA
When required by law, regulation, or legal process
To protect the rights, property, safety, or security of Equipo, our Clients, users, or the public
In connection with a merger, acquisition, or other business transfer, subject to continued protection of the information

5. Data Security & Cloud Infrastructure

We implement administrative, physical, and technical safeguards designed to protect the confidentiality, integrity, and availability of information, including PHI, in accordance with HIPAA and industry standards.

The Services are hosted on Amazon Web Services (AWS) using HIPAA-eligible and industry-recognized cloud infrastructure. While AWS maintains its own security certifications and compliance programs (such as SOC reports and ISO certifications), Equipo remains responsible for application-level security and for meeting our obligations as a Business Associate under HIPAA.

Our safeguards include, as appropriate:

Encryption of PHI at rest (e.g., AES-256) and in transit (e.g., TLS 1.2+)
Role-based access controls, least-privilege principles, and access approvals
Multi-factor authentication (MFA) where enabled by Clients
Network and application firewalls, intrusion detection and prevention measures
Audit logs, monitoring, and regular security reviews
Data backup, redundancy, and disaster recovery procedures
Policies, training, and confidentiality obligations for personnel with access to PHI

No method of transmission or storage is completely secure, and we cannot guarantee absolute security. However, we continuously work to maintain and improve our security controls.

6. Data Retention

We retain information, including PHI, for as long as reasonably necessary to:

Provide the Services to our Clients and end users
Support clinical, operational, and reporting needs of our Clients
Comply with legal, regulatory, and contractual obligations
Maintain business records and enforce our agreements
Also, you can request to delete by contacting us at support@equipohealth.com

Our Clients may specify retention periods for PHI within their agreements and applicable law. When data is no longer needed for these purposes, we will delete or de-identify it in accordance with our policies, BAAs, and legal requirements.

7. Your Rights

Your rights to access, amend, restrict, or request an accounting of disclosures of your PHI are primarily governed by HIPAA and enforced through your relationship with your healthcare provider or plan.

In general, to exercise your HIPAA rights, you should contact your healthcare provider or plan directly. Where we are able to assist, we will do so at the request or direction of the Client.

For personal information that we control outside of PHI (for example, information collected on our corporate websites), you may have additional rights under applicable privacy laws, such as rights to access, correct, or delete your personal data, subject to legal limitations.

8. Data Breach Procedure

We maintain an incident response program consistent with HIPAA and other applicable requirements. In the event of a data breach involving PHI or other personal information, we will:

Promptly investigate and contain the incident
Assess the scope and impact of the breach
Notify affected Clients and, where required, affected individuals and/or regulators within applicable timeframes
Cooperate with Clients in connection with any required notifications or remedial actions

9. Children and Dependent Patients

The Services may be used by healthcare providers to support care for minors or dependent individuals under applicable laws and policies. In these cases, PHI is processed as part of the clinical relationship under the direction of the provider or plan.

Our Services and corporate websites are not otherwise directed to children under 13, and we do not knowingly collect personal information directly from children under 13 without appropriate authorization. If you believe we have collected personal information from a child inappropriately, please contact us so we can take appropriate action.

10. International Users

The Services are primarily designed for use by healthcare organizations and individuals in the United States. If you access the Services from outside the United States, you understand that your information may be transferred to, stored, and processed in the United States and in other jurisdictions where we or our service providers operate, which may have data protection laws different from those in your jurisdiction.

11. Interoperability and Third-Party Health IT Systems

Equipo may integrate with electronic health records (EHRs), health information exchanges, and other healthcare information technology systems using interoperability standards such as HL7 v2.x, FHIR (Fast Healthcare Interoperability Resources), CDS Hooks, and related APIs or messaging protocols, where enabled by our Clients.

When data is exchanged with third-party systems:

Such exchanges occur under the direction and authorization of the Client (e.g., your provider or plan).
Use and disclosure of PHI within those external systems is governed by the applicable provider, plan, or system operator’s privacy policies and agreements.

We work to support industry-standard interoperability in a manner that maintains appropriate security and privacy protections and is consistent with our obligations as a Business Associate.

12. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our Services, our practices, or applicable laws. When we make material changes, we will update the “Last updated” date at the top of this page and, where required, provide additional notice (for example, through in-app notifications, email, or website banners).

Your continued use of the Services after any changes become effective constitutes your acceptance of the updated Privacy Policy. If you do not agree with the changes, you should discontinue use of the Services.

13. Contact Us

If you have questions or concerns about this Privacy Policy or our privacy practices, please contact us at:

Equipo Health, Inc.
285 Durham Ave, Suite 2
South Plainfield, NJ 07080
United States
Email: support@equipohealth.com
Phone: 800.482.9082