The purpose of this Privacy and Personal Data Protection Policy (the “Policy”) is to outline how the Company will protect Personal Data, including, without limitation, Protected Health Information as defined by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), of its patients, patient family members, other patient advocates and representatives, Company Personnel, candidates for employment, and customers.
This Policy applies to healthAlign and its subsidiaries (collectively referred to as the “Company”). This Policy applies to Company Personnel, including employees, temporary workers, and any authorized representatives, contractors, or agents (collectively referred to as “Company Personnel” or “You” or “you”).
Personal Data is only collected, used, and disclosed by the Company in accordance with this Policy. Personal Data may not be added to a Company Database unless it is collected and processed in accordance with this Policy.
All of the Company’s other personnel policies remain in full force and effect. Except to the extent in conflict with this Policy, the Company’s Employee Handbook, Code of Conduct and Ethics, and other policies shall supplement this Policy.
This Policy applies whether or not the activities are conducted from or the information is maintained on the Company’s premises.
This Policy establishes a minimum level of standards.
If as part of your relationship with the Company you provide services directly to a customer of the Company either at the customer’s facility or remotely, you will be subject to this Policy as well as any similar policy issued by the customer.
“Company” healthAlign and its subsidiaries.
“Company Personnel” or “You” or “you” Any employee or temporary worker of the Company and any authorized representatives, contractors, or agents of the Company.
4 Collection, Notice, and Disclosure
4.1.1 Collection of Personal Data: The Company collects Personal Data to operate effectively and to comply with state and federal regulations related to employment and the provision of patient care. The Company collects and maintains Personal Data from its customers, clients, and Company Personnel as defined above. The Company may also collect personal information that is voluntarily provided by users through Company web sites that allow users to set up an account or otherwise submit information for inquiry purposes.
4.1.2 Personal Data – Employment: Personal Data about a Data Subject may be collected and included in the following:
18.104.22.168 Company interview notes;
22.214.171.124 Information obtained through reference and background checks; 126.96.36.199 Educational or professional accreditation records;
188.8.131.52 Information necessary to provide payroll services, including banking details, tax deductions, and vacation allowances;
184.108.40.206 Information necessary to comply with laws or regulations (e.g. I-9 forms);
220.127.116.11 Information about employees, temporary workers, and their respective dependents and beneficiaries, as required, to enroll in any benefits packages;
18.104.22.168 Reference letters; and
22.214.171.124 Test results.
4.1.3 Personal Data – Provision of Care and Services to Patients and Customers: We may collect Personal Data from patients and customers solely for the purposes of documenting patient care and obtaining payment for services or for providing service to customers as further outlined in contractual agreements.
4.1.4 Notice to Data Subjects Regarding Purpose: The Company notifies all identified Data Subjects about the purposes for which Personal Data is collected and used. Inappropriate situations, however, Personal Data may be “de-identified” so that the identity of individual Data Subjects cannot be known. In these cases, the Company will not notify the Data Subjects regarding the purpose for which Personal Data is collected and used by the Company.
4.1.5 Requests for Personal Data: When requesting Personal Data (online or offline), fields that are required to be completed by the Data Subject shall be identified as such. For example, if the Data Subject is required to submit name and email address in order to participate, but is also asked for physical address, employer, and title, the “name” and “email address” fields shall be identified as required or mandatory fields and the consequences of failure to complete these fields shall be indicated.
4.1.6 Required Data Fields: The Company will only require that any data fields be mandatory only where the Personal Data is necessary to achieve the stated purpose.
4.2 Collection of Sensitive Data: Unless permitted or required by applicable law, Sensitive Data may not be collected from anyone, including but not limited to patients, patient advocates and representatives, employees, temporary workers, and their respective dependents and beneficiaries, prospective employees, customers, online visitors, business partners, and other third parties, and may not be stored in the Company’s Databases or by vendors or other third parties acting on the Company’s behalf. In some jurisdictions, an individual cannot validly consent to the processing of Sensitive Data unless such processing is required by law. Patient information designated as “sensitive”, such as psychotherapy notes or HIV/AIDS diagnosis, shall be secured in a separate portion of the patient’s medical record and shall be disclosed only when authorized to do so by the patient or their authorized legal representative; in response to a court order; or when required to provide care, treatment, or services.
4.3 Confidentiality of Personal Data: Personal Data is considered confidential and should not be disclosed within the Company except to those employees who “need to know” and third-party non-employees who “need to know” such information to satisfactorily perform their jobs and have expressly agreed to protect its confidentiality. Those who “need to know” are those who need the information to properly perform their jobs and could not be expected to do so without access to such information. Generally, employees should exercise reasonable diligence to avoid disclosure of Personal Data to third parties except when necessary and only after appropriate security precautions are taken or the proper consent has been obtained. In addition to using Personal Data internally, the Company may at times share this information with third parties. The Company only shares Personal Data about Data Subjects that are relevant to the Company’s legitimate business purposes or as required to meet legal and regulatory requirements and at all times pursuant to a Permitted Use. All Personal Data transferred to a third party shall be considered “confidential” unless otherwise specified.
4.4 Protection of Patient Information: Information regarding patients shall not be displayed in areas that are available to the public or unauthorized personnel.
5 Choice and Consent
5.1 Use of Personal Data Limited to Purpose for Collection: Personal Data shall not be collected or used for purposes other than the purpose for which the Data Subject supplied the Personal Data, unless the Data Subject has consented to such other purpose. This will generally be by Opt-In, except where Opt-Out is permitted under this Policy and applicable law. Where it is allowed in accordance with this Policy, Opt-Out is only valid to the extent and for the purpose of which the Data Subject has been informed at the time, and if subsequently a different purpose is intended, then it is necessary to go back and inform the Data Subject providing a renewed opportunity to Opt-Out.
5.2 Opt-In Right: Where required by applicable law, Data Subjects shall be given the option to Opt-In to use their Personal Data for purposes other than the purpose for which the Personal Data was supplied. This includes all methods of collection, whether online, business replay or other mail-back cards or otherwise. Additionally, where required by applicable law, Data Subjects shall be given the opportunity to Opt-In if the Personal Data is to be disclosed to a third party.
5.3 Opt-Out Right: Where required by applicable law, a Data Subject shall be given the opportunity to Opt-Out from allowing the Company to disclose Personal Data to a third party and the choice of whether or not to allow the Company to use the Personal Data for purposes incompatible with the purpose for which it was originally collected or authorized. The Company reserves the right to require sufficient information to confirm the identity of the individual requesting Opt-Out.
5.4 Right to Withdraw Consent: Where required by applicable law, a Data Subject shall be given the opportunity to withdraw consent at any time. This right cannot be conditioned or restricted.
6 Use and Disclosure of Personal Data
6.1 Permitted Uses of Personal Data: Personal Data may not be used, collected, retained, distributed, or disclosed except in accordance with a Permitted Use. The following are Permitted Uses:
6.1.1 For payment and health care operations related to the coordination of patient care;
6.1.2 To provide the ability to contact the Data Subject;
6.1.3 To comply with human resources requirements, including conducting workplace investigations involving the Company or a customer of the Company;
6.1.4 To comply with government regulations;
6.1.5 To provide payroll and human resources functions, including employee benefits programs;
6.1.6 To support recruitment inquiries;
6.1.7 To facilitate the job search process and to help the Company find a suitable temporary or permanent job match for the Data Subject, including providing Personal Data to customers of the Company to facilitate the temporary or permanent placement process;
6.1.8 To measure the number of users and usage of our websites;
6.1.9 To store information about the Data Subject’s online preferences;
6.1.10 To recognize when the Data Subject returns to our web sites;
6.1.11 To provide the Data Subject with information on goods and services requested or which may interest the Data Subject, where the Data Subject has consented to be contacted for such purposes;
6.1.12 For notification of events, surveys, workshops, and training sessions run by the Company;
6.1.13 To notify the Data Subject about changes to our services;
6.1.14 Pursuant to consent from the Data Subject; and
6.1.15 Where the disclosure of Personal Data is permitted or required by law (collectively and individually a “Permitted Use”).
6.2 Fair and Lawful Processing of Personal Data: Personal Data shall be processed fairly and lawfully using only the minimum amount necessary to perform an assigned task. Personal Data shall be collected, used, and disclosed for a specified, explicit, and legitimate purpose and not further processed in a way incompatible with that purpose.
6.3 Accuracy of Personal Data: Personal Data shall be accurate and, where necessary, kept up to date. Every reasonable step shall be taken to ensure that data, which is inaccurate or incomplete, with regard to the purposes for which it was collected and for which it is further processed, is erased or rectified.
6.4 Retention of Personal Data: Personal Data shall be kept in a form that permits identification of Data Subjects for no longer than is necessary for the purposes for which the data was collected or for which it is further processed. Once the Personal Data is no longer needed for legal or legitimate business purposes, the Company shall destroy or de-identify the Personal Data in accordance with the Company’s Records RetentionPolicy.
6.5 Photographs, Digital Images, and Recording:
6.5.1 All business-related photographs, film, videotape, and digital photography require proper written consent. No person may photograph a patient, family, or caregiver without first obtaining proper consent or authorization from the Privacy Officer.
6.5.2 The use of personal cellular phones, cameras, or other electronic devices to record any patient, family, or caregiver information, for any purpose is strictly prohibited.
7 Data Security
7.1 Security Measures for Personal Data: The Company will strive to provide security that is proportional to the sensitivity of the Personal Data being protected. The following technical, administrative, and organizational measures shall be implemented and observed to protect Personal Data from accidental or unlawful destruction; from accidental loss, alteration, unauthorized disclosure or access; and against all other unlawful forms of processing. At all times, Personal Data shall be handled according to the Company Information Security Policy.
7.1.1 Restricted and Secured Access: All Personal Data shall be kept secure with restricted access. Access to Personal Data shall be restricted via use of secure files, locks, cabinets, passwords, etc., and limited to those with a legitimate business purpose related to a Permitted Use.
7.1.2 Database Identification: Databases shall identify the Permitted Uses of Personal Data.
7.1.3 Disclosure of Personal Data to Third Parties: The Company may not always be able to control how Personal Data will be handled by a third party. Where required by applicable law, however, prior to the disclosure of Personal Data to a third party, the Company will obtain a written agreement from the third-party obligating the third party to provide the same level of administrative, physical, and technical safeguards to protect Personal Data as used by the Company and requiring the third party to return to the Company or certify adequate destruction of the Personal Data when the third party ceases to be a data processor of the Personal Data. Where required by applicable law, this agreement shall restrict the third party’s use of the Personal Data to only the purposes for which it was obtained. Additionally, when appropriate or required by applicable law, the Company shall be given the contractual right to periodically audit third-party vendors’ use, processing, storage, and destruction of Personal Data.
7.1.4 Third-Party Obligations Regarding Personal Data Breaches: As part of the overall effort to adequately protect Personal Data, when appropriate or required by applicable law, third parties shall be contractually obligated to notify the Company promptly following an actual or reasonably suspected privacy or security breach, including the unauthorized access, use, modification, or transfer of Personal Data. When appropriate, third parties shall also be contractually obligated to cooperate with the Company in the event of an actual or reasonably suspected privacy or security breach.
7.1.5 Original paper records shall be filed and shall not be removed from the office except by court order or for transfer to and from storage facilities or other authorized sites as needed to accomplish the day-to-day business of the Company. Records shall be stored in a manner that minimizes the possibility of damage from theft, wind, fire, and water.
7.1.6 All personnel records will be kept in a locked cabinet or room when not being utilized. Officer Leadership will be responsible for the key. No unauthorized individual will be allowed access to records.
7.1.7 Records may be photocopied by authorized employees as necessary to accomplish the day-to-day business of the Company. Where possible and as necessary, Personal Data, including but not limited to an individual’s name, email address, work or home telephone number, home postal or other physical address, birth date, drivers’ license number or other municipality-issued identification card number, social security number or another national identification number, financial account, credit card or debit card number, or other information that enables identification of a person or individual, shall be removed or otherwise redacted (blackened out) for privacy purposes.
7.2 Documentation being placed in the mail shall be secured in proper envelopes, addressed to the office, and contain adequate postage for delivery.
8 Training of Company Personnel Regarding Policies
8.1 Training of Company Personnel Regarding Security Procedures for Personal Data: Company Personnel shall be trained to take reasonable precautions to physically secure Personal Data. The Company shall establish and maintain physical and environmental controls as needed for each facility that employees should be aware of and follow.
9 Data Access
9.1 Review of Personal Data by Data Subjects: Personal Data shall be available to Data Subjects for review and update by one of the following methods.
9.1.1 Indirect Review of Personal Data: Indirect methods include an email alias to which Data Subjects can submit requests to update their Personal Data or their preferences or a phone number that the Data Subject can call.
9.1.2 Example: The following language, appearing on a web page, is an example of an indirect method of access: “If you have submitted personal information to the Company via our web site and would now like to have that information updated, please send an email to [insert name of alias]@healthalignco.com.”
9.1.3 Direct Review of Personal Data: Direct methods include password-protected access to Databases for online updating by Data Subjects of their Personal Data.
9.1.4 Example: Registered Applicants can review and update their Personal Data by accessing a self-service portal.
9.2 Requests to Access, Use, or Disclose Personal Data: As required or permitted under applicable state and federal laws, Data Subjects may make a written request for access to or release of their Personal Data that the Company holds for them. The Company reserves the right to redact protected information in order to give Data Subjects access to their Personal Data.
9.2.1 Each request to access, use, or disclose Personal Data shall be reviewed and managed in accordance with the Company’s GUIDELINES FOR RESPONDING TO REQUESTS/SUBPOENAS FOR ACCESS TO, AMENDMENT OF AND/OR RELEASE OF PATIENT AND EMPLOYMENT RECORDS.
9.3 Request for Amendment or Correction: As required or permitted under applicable state and federal laws, Data Subjects have the right to have their Personal Data corrected, amended, or deleted as appropriate where it is inaccurate. All requests for amendments or corrections to a medical record shall be submitted to the Privacy Officer.
(4) that cookies or web bugs are placed on the Company’s websites by third parties; and (5) a disclosure of any transfer of Personal Data collected by a Company cookie or web bug to third parties, including contractors and vendors. Any collection of Personal Data by third-party cookies or web bugs and any transfer to third parties of the information collected by the Company’s cookies and web bugs for purposes unrelated to the reason for which the Personal Data was initially collected require that Data Subjects Opt-In to such transfers. The Company will disclose all uses of tracking technology, whether cookies, web bugs, or similar technologies, upfront and explain to users how they may disable cookies, web bugs, or the similar technology being used via their browsers.
10.3 Notice to Users Regarding Cookies or Web Bugs: Users should be directed to wording similar to the following on websites where cookies or web bugs are used to collect Personal Data:
“A cookie is a small data file that certain websites write to your hard drive when you visit them. A cookie file can contain information such as a user ID that the site uses to track the pages you have visited.
A web bug is a graphic on a web page or email that gathers information about the computers that view the web page or email. A web bug can collect your IP address and the time you viewed the website or email.
If you prefer not to receive cookies or web bugs while browsing our website, you can set your browser to warn you before accepting cookies or web bugs and refuse them when your browser alerts you to their presence.
You can also refuse all cookies and web bugs by turning them off in your browser, although you may not be able to take full advantage of the Company’s websites if you do so. You do not need to have cookies turned on to use/navigate through many parts of the Company’s website, except access to certain of the Company’s web pages requires a login and password.
You can typically find information on how to adjust your cookie preferences for popular browsers at each browser’s support site.
11 Click-through Tracking
11.1 Collection of Non-Personal Data: Where possible, the Company will collect only non Personal Data if click-through tracking is being used on a site.
11.2 Collection of Personal Data: If Personal Data will be collected, click-through tracking or other forms of online tracking are not permitted unless:
11.2.1 Meaningful Disclosure: The Company provides Data Subjects with a meaningful disclosure about what tracking is being conducted, what information or Personal Data is being collected, how it is used, and how a Person can Opt-Out;
11.2.2 Method for Opt-Out: The Company provides Data Subjects with a clear and unambiguous method for Opting Out; and
11.2.3 Security and Storage of Personal Data: The information or Personal Data collected shall be secure and kept for no longer than necessary for the stated purpose.
11.2.4 Use of Personal Data for Different Purpose: Before the Company uses the information or Personal Data in a manner that is materially different from what was stated when the data was collected, where required by applicable law, it will obtain the affirmative express consent (Opt-In) from the Data Subject.
11.3 Collection of Sensitive Personal Data: Sensitive Personal Data shall not be collected for use in marketing unless the appropriate consent is obtained in jurisdictions where consent is allowed to be obtained.
12 Sale of Personal Data
It is against the Company’s policy to sell or rent Personal Data that the Company maintains about Data Subjects, including but not limited to its employees, temporary workers, and their respective dependents and beneficiaries, prospective employees, customers, prospective customers, clients, online visitors, or business partners.
13 Agreements with Vendors of Personal Data and Providers of Services
13.1 Company Policy with Vendors: The Company’s policy is to do business with companies that respect the privacy of Data Subjects. Where appropriate, vendors and business partners that handle or manage Personal Data for the Company or host websites or applications for the Company should have appropriate Privacy Statements on their websites and follow policies regarding the collection and use of Personal Data which are at least as restrictive as the Company’s Privacy and Personal Data Protection Policy.
13.2 Procurement of Personal Data from Vendors: It is essential that vendors who are selling or passing on Personal Data have the right to do so for the purposes for which the Company needs it. To ensure this, appropriate agreements shall be signed. No list may be purchased or rented for use by the Company unless the vendor represents and warrants that the Personal Data was collected in a manner that conforms with applicable law and which permits the use for which the Personal Data is procured.
13.3 Recordkeeping Requirement for Procurement of Personal Data: Any Company Personnel receiving Personal Data from a third party shall maintain adequate records of lists rented or purchased so as to be able to identify the source of the Personal Data.
14 Persons under the Age of 18 and 13
14.1 Persons under the age of 18: The Company’s policy is not to collect Personal Data from individuals under the age of 18 without the consent of their parents.
14.2 Persons under the age of 13: The Company’s policy is not to collect Personal Data from children under the age of 13 (Minor Children). Any deviation from this Policy requires approval from the Legal Department.
15 Spam and Email Marketing
15.1 Spam and Email Marketing Guidelines: Spam, generally speaking, is the unlawful practice of sending commercial emails to persons with whom one has had no prior business or personal relationship or sending email without a truthful reply path. Email Marketing shall adhere to the following:
15.1.1 Truthful Information: All information regarding the point of origin, the transmission path, and the return path shall be truthful, meaning the reply path of the email shall return to the Company when the recipient sends a “reply to” email.
15.1.2 Consent by Recipient: No email may be sent to a recipient who has not consented to receive the email in accordance with this Policy, or who has unsubscribed after initially Opting In from receiving emails from the Company.
15.1.3 Adherence to Opt-Out: No email may be sent to an individual who has Opted Out by requesting to be listed on a do-not-email list.
15.1.4 Unsubscribe Information: All email sent by the Company as part of an email to a mailing list shall contain instructions (in a type size at least as large as the text of the email) on how to unsubscribe from receiving future marketing emails. Unsubscribe requests shall be honored within ten (10) business days.
15.1.5 Email Addresses in Database: Email addresses cannot be entered into a Database unless the Data Subjects have Opted In to receive an email from the Company.
15.1.6 Entity Information: Emails should include the Company entity’s name, physical address, and either a toll-free number or an email address for use by individuals who wish to Opt-Out from receiving future emails.
16 Data Retention and Cleaning
16.1 Compliance with Laws and Policy: The Company will retain Personal Data as long as required by law, by regulation, and in accordance with its Record Retention Policy. A customer of the Company may also require that the Company keep or destroy Personal Data in accordance with the customer’s data retention policy. Personal Data will be retained and disposed of in a secure manner in accordance with the Company’s Record Retention Policy.
16.2 Retention of Personal Data: Personal Data shall be retained only for the amount of time necessary for the Permitted Uses and shall be kept up to date. Inactive information should not be kept for longer than required by applicable law or business necessity and should be kept in accordance with the Company’s Record Retention Policy.
16.3 Updates to Personal Data: It is up to each Database Owner to regularly update Personal Data and Opt-In and Opt-Out preferences.
Any Company Personnel found to have violated this Policy may be subject to disciplinary action, up to and including termination of employment or contract, with or without prior notice or warning.
To the extent, any portion of this Policy is inconsistent with any federal, provincial, state, or local law or regulation, such portion shall be modified to the extent necessary to comply with such federal, provincial, state, or local law or regulation, and the remaining portions of the Policy shall remain unaffected.
18 Revision History