Communications (Non-Marketing) | FDR Member Engagement Services

Effective Date: June 30, 2026

Last Reviewed: February 27, 2026

Section 1: Introduction & Who We Are

DUOS Living, Inc. (“DUOS,” “we,” “us,” “our”) is a technology-enabled member engagement company that partners with health plans to connect their members with benefits, community resources, and support services.

We operate as a First Tier, Downstream, or Related Entity (FDR) under contract with Medicare Advantage (MA), Managed Medicaid, and Prescription Drug Plan (PDP) sponsors. We provide communications services — not marketing or enrollment services.

DUOS is NOT a health plan, healthcare provider, or insurance company. We do not make coverage, enrollment, or benefit determination decisions.

This Privacy Policy explains how we collect, use, disclose, and protect your information. This Policy applies to all information collected through our services, website, mobile application, phone, text, email, and mail communications.

Section 2: Information We Collect

Categories of Personal Information:

  • Identifiers: Name, address, phone number, email, date of birth, member ID, Medicare/Medicaid beneficiary number
  • Health plan information: Plan name, plan type (MA/Medicaid/PDP), enrollment status, benefit details
  • Health-related information: Health assessments, wellness check-in responses, care coordination notes, appointment information. Note: when received from or on behalf of your health plan, this may constitute Protected Health Information (PHI) under HIPAA.
  • Communication preferences: Preferred language, preferred contact method, opt-in/opt-out status, accessibility needs
  • Geolocation data: General location (city/state) for connecting you with local resources (not precise GPS)
  • Device/technical information: IP address, browser type, device type, cookies (when using our website/app)
  • Interaction data: Call records, text message logs, email engagement, service utilization

Sources of Information:

  • Directly from you (phone calls, texts, forms, website interactions)
  • From your health plan (member eligibility data, health information under Business Associate Agreement)
  • From service providers assisting with service delivery
  • Automatically from your device when using our website or application

Section 3: How We Use Your Information

  • Providing member engagement services under contract with your health plan
  • Connecting you with health plan benefits and community resources
  • Scheduling and managing appointments
  • Conducting wellness check-ins and health assessments
  • Sending communications (phone, text, email, mail) about your services
  • Improving our services and member experience
  • Complying with legal, regulatory, and contractual obligations (HIPAA, CMS, TCPA)
  • Internal operations: analytics, quality assurance, training, compliance monitoring

We do NOT sell your personal information. We do NOT use your information for marketing health plans or influencing enrollment decisions.

Section 4: How We Share Your Information

  • With your health plan: Service reports, outcome data, as required by our contract and BAA
  • With service providers: Third parties who assist in delivering our services (bound by confidentiality agreements)
  • With community resources: Only with your consent, to connect you with local services
  • As required by law: Court orders, subpoenas, regulatory requirements, mandated reporting
  • For compliance: Responding to plan sponsor audits, CMS reviews, regulatory examinations

We do NOT sell your personal information to any third party. We do NOT share your information for third-party marketing purposes.

Section 5: HIPAA & Protected Health Information

DUOS is a Business Associate under HIPAA as defined in 45 CFR § 160.103. We maintain Business Associate Agreements (BAAs) with all contracting health plan sponsors.

Protected Health Information (PHI) received from or on behalf of your health plan is handled in accordance with HIPAA and the applicable BAA. We apply the minimum necessary standard — we access only the PHI reasonably necessary to provide your services.

PHI categories we may receive:

  • Member identifiers and health plan enrollment data
  • Health assessment and care coordination information
  • Appointment and service utilization data

Breach Notification:

In the event of a breach of unsecured PHI, DUOS will: (a) notify your health plan within 60 days of discovery per 45 CFR § 164.410; (b) notify you as required by 45 CFR § 164.404; and (c) report to HHS as required by 45 CFR § 164.408.

Your HIPAA Rights (exercised through your health plan):

Access to PHI, amendment of PHI, accounting of disclosures, request for confidential communications, and request for restrictions. To request that DUOS contact you via an alternative method (e.g., specific phone number, no texts), notify your health plan or contact DUOS directly.

Section 6: Your California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).

IMPORTANT: PHI that DUOS handles under HIPAA is exempt from the CCPA/CPRA (Cal. Civ. Code § 1798.145(c)). The rights below apply to personal information NOT governed by HIPAA.

Your Rights:

  • Right to Know: Request the categories and specific pieces of personal information collected, the sources, purposes, and third parties we share with.
  • Right to Delete: Request deletion of personal information (subject to exceptions for legal obligations, contract performance).
  • Right to Correct: Request correction of inaccurate personal information.
  • Right to Opt-Out of Sale/Sharing: DUOS does not sell your personal information and does not share it for cross-context behavioral advertising.
  • Right to Limit Use of Sensitive Personal Information: You may request we limit use of sensitive PI to what is necessary to provide services.

Non-Discrimination:

DUOS will not discriminate against you for exercising your CCPA/CPRA rights. Exercising these rights will not affect your health plan benefits, coverage, or access to DUOS services.

Sensitive Personal Information:

Categories DUOS may process: racial/ethnic origin (for health equity programs, with consent), health information (to extent not HIPAA-governed). We do not collect Social Security numbers or precise geolocation.

How to Exercise Your Rights:

Call (855) 212-9242 or email privacy@getduos.com. We will verify your identity using at least two data points. Response within 45 calendar days (one 45-day extension permitted with notice). You may designate an authorized agent with written permission.

Section 7: Your Virginia Privacy Rights (VCDPA)

Virginia residents have rights under the Virginia Consumer Data Protection Act: access, correction, deletion, data portability, and opt-out of targeted advertising, profiling, and sale of personal data.

To exercise rights, contact us using the information in Section 14. Appeal process: if we decline your request, you may appeal by emailing privacy@getduos.com. We will respond within 60 days. You may also contact the Virginia Attorney General.

Section 8: Your Colorado & Connecticut Privacy Rights

Colorado (CPA, effective July 2023) and Connecticut (CTDPA, effective July 2023) residents have similar rights: access, correction, deletion, data portability, and opt-out of targeted advertising, profiling, and sale.

Colorado: Right to appeal with 45-day response; may file complaint with CO Attorney General. Connecticut: Right to appeal with 60-day response; may file complaint with CT Attorney General. PHI under HIPAA is exempt under both laws.

Section 9: Data Retention

We retain personal information only as long as necessary for the purposes described in this Policy:

  • Member engagement records: Duration of plan contract + 10 years (per CMS FDR record retention requirements)
  • PHI: Per BAA requirements and HIPAA (minimum 6 years from date of creation or last effective date)
  • Communication records (call logs, texts, emails): 6 years per TCPA statute of limitations best practice
  • Website/app data (cookies, analytics): 13 months
  • Consent records: Duration of engagement + 6 years

After retention periods expire, data is securely deleted or de-identified.

Section 10: Data Security

DUOS implements administrative, technical, and physical safeguards to protect your information, including: encryption in transit (TLS) and at rest (AES-256), access controls, multi-factor authentication, regular security assessments, employee training, and incident response procedures.

We conduct regular risk assessments consistent with HIPAA Security Rule requirements (45 CFR § 164.308). Despite our safeguards, no system is 100% secure. If you suspect unauthorized access, contact us immediately.

Section 11: Children’s Privacy

DUOS services are designed for adult health plan members. We do not knowingly collect personal information from children under 13. If we learn we have collected information from a child under 13, we will promptly delete it.

Section 12: Cookies & Tracking Technologies

Our website and application use cookies and similar technologies:

  • Strictly Necessary: Required for site functionality (cannot be disabled)
  • Analytics: Help us understand usage patterns and improve services (can be opted out)
  • Functionality: Remember your preferences (language, accessibility settings)

We do NOT use advertising or tracking cookies. Manage cookies through your browser settings..

Section 13: AI & Automated Decision-Making

DUOS uses AI-assisted tools to improve member engagement and resource matching. AI tools help identify relevant benefits and community resources based on your needs. All AI-generated recommendations are reviewed by human staff before action.

AI is NOT used to make decisions about your health plan coverage or benefits. You may request information about how AI is used in your services by contacting us.

Section 14: Updates to This Policy & Contact Us

We may update this Privacy Policy from time to time. Material changes will be communicated via the contact information on file and posted on our website. Continued use of DUOS services after updates constitutes acceptance.

Contact Us:

DUOS Living, Inc.

305 N 5th Ave, Ste. 410,

Minneapolis, MN, 55401

Phone: 855-212-9242

Email: privacy@getduos.com

Website: www.getduos.com

Compliance concerns: privacy@getduos.com

Document Version: 1.0 | Effective Date: June 30, 2026 | Last Reviewed: February 27, 2026

This document is for informational purposes and does not constitute legal advice. DUOS Living, Inc. should consult qualified legal counsel to ensure compliance with all applicable laws.