Privacy Policy

Updated February 8, 2021

Table of contents

  10. stateofsmart APP
  11. athenaCapture APP


This privacy policy (“the Policy”) describes how athenahealth, Inc. ("athenahealth," “we,” “us,” "our”), and its subsidiaries and affiliated companies may collect, use, and share information about you that we obtain through (“the Website”). This Policy does not apply to other athenahealth platforms (e.g., Epocrates, athenaCollector, athenaClinicals, athenaCommunicator, athenaCoordinator, etc.), to other athenahealth product offerings that have their own privacy policies (e.g., athenaText), to the athenahealth Patient Portal, to other websites that we operate, or websites of third parties to which we provide links, unless otherwise identified in this Policy. This Policy will apply to any offline location that makes this Policy available to you. We do not control and are not responsible for the privacy practices of, or the data available on, the websites of other entities and we urge you to evaluate the soundness of these practices for yourself.

Return to top


athenahealth is a provider of network-enabled services for hospital and ambulatory customers nationwide, headquartered in the United States. For more information about athenahealth, please see the “About” section of the Website at

Return to top


The following types of information may be collected on the Website:

  • We may collect information you provide us if you access, voluntary enter information into, or sign up for or request certain services from us on our Website. For example, if you are interested in learning more about athenahealth and the services and products we offer, we may ask for information such as your name, practice/organization name, size and address, email address, telephone number, type of user (patient, provider, partner), and city/state. If you have an account with us, we may also collect your username or other login information (e.g., Practice ID) you use to log into or access your account. 
  • When you visit our Website, we may gather certain information about your visit and your device automatically. This information may, for example, reflect how you found, were directed to or used this Website. Similarly, we may collect your IP address, geolocation information, browser type and version, and other data about the equipment used to visit the Website, as well as your patterns of searching and browsing that preceded access to the Website, and the patterns of searching and browsing on the Website.
  • We may also collect information from other sources, including but not limited to the following categories of sources: consumers or users of the Website, data brokers or resellers from which we purchase data to supplement the data we collect, social networks when you engage with our content, reference our Website, or grant us permission to access information from the social networks, partners that offer co-branded services, sell or distribute our products, or engage in joint marketing activities, and information that is publicly available.

Our processing of data received from our customers (“Customer Data”) is governed by the agreements we enter into with our customers, which may include Business Associate Agreements as applicable and required under the Health Insurance Portability and Accountability Act (“HIPAA”). Our customers may also have their own privacy practices and/or policies that govern their collection and use of your data. We are not responsible for how our customers treat the information we collect on their behalf, and we recommend you review their own privacy policies. For further information on your rights and choices regarding Customer Data, see the “Your Rights and Choices” section below.

The Website does not respond to web browsers’ Do Not Track signals. Thus, your selection of the “do not track” option provided by your browser may not have any effect on our collection of cookie information for analytic and internal purposes. For more information on “Do Not Track,” visit

Return to top


We use information collected through tracking technologies, such as log files, cookies and web beacons when you use the Website. For example:

  • We track the number and activities of visitors using certain portions or features of the Website to make changes that may be necessary to improve or optimize the Website’s functionality and identify areas of interest to our visitors;
  • We track the popularity of features on the Website to inform the development of new ones;
  • We identify the types of devices our visitors use so that we can improve and optimize our systems and services;
  • We identify the type of visitors to the Website to determine whether are existing users of our services or products, or prospective clients for marketing and sales generation purposes; and
  • We assess the ways in which users become aware of or access the Website in order to gauge the quality and methods of our advertising.

By continuing to use our Website, including by remaining on the landing page, you consent to the use of cookies.

  • If you provide us with your information in connection with your interest in our products or services (e.g., through webforms), we will use such information to reach out to you about our products or services.
  • If you provide us with your information, we may use it for our own marketing, promotional, and informational purposes, including solicitations, invitations, newsletters, awareness campaigns, and announcements.
  • When you provide information on our Website or have an account with us, we may use your information to reach out to you and ask if you would like to participate in studies or respond to questions about how the services we offer do or do not meet your needs or can be improved (“Usability Activities”).

We use the information for the purposes explained at the time of collection, as described in this Policy and our Terms, and for our business purposes. For example:

We will not retain your information, whether obtained through tracking technologies or provided by you, longer than necessary to fulfill the purposes for which it was collected or as required by applicable laws or regulations. Wherever your information may be held by athenahealth or on its behalf, athenahealth takes reasonable and appropriate administrative, physical, and technical security safeguards to protect the information that you share with us from loss, theft, misuse and unauthorized access, alteration, destruction, and disclosure. In addition, athenahealth and its service providers enter into agreements which require that care and precautions be taken to prevent loss, misuse, or disclosure of your information. Nevertheless, transmission via the internet is not completely secure and we cannot guarantee the security of information about you.

Notwithstanding the above, we may use information that does not identify you (including information that has been aggregated or de-identified) for any purpose except as prohibited by applicable law. For information on your rights and choices regarding how we use information about you, please see the “Your Rights and Choices” section below.

Return to top


We engage certain service providers and third parties to process information on our behalf for business purposes. Service providers and third parties are used, for example, to track and associate internet search and browsing behavior with our advertisements, to provide analytics, and to provide functionality on the Website. In addition, we may share Website usage and information with these service providers and third parties to manage our content, administer ads, provide insights to us related to marketing needs, for market research purposes, and to analyze our marketing efforts.

We work with agencies, advertisers, ad networks, and other technology services to place ads about our products and services on other websites and services.

We use tracking technologies such as cookies and web beacons, and other storage technologies to collect or receive information and use that information to provide measurement services, analytics, and to deliver relevant ads and/or other content to you (“Interest-based Advertising”). More specifically, these companies use information about your activities across time and services for purposes of associating different devices you use, and to provide ads about goods and services of interest to you.

We also use audience matching services to reach people (or people similar to people) who have visited our Website or are identified in one or more of our databases (“Matched Ads”). This is done either with the use of cookies, or by providing a customer list to a technology service to match common factors between our data and their data or incorporating a pixel from a technology service into our own Website. For instance, we incorporate the Facebook pixel on our Website and may share your email address with Facebook as part of our use of Facebook Custom Audiences. Some technology services may provide us with their own data, which is then uploaded into another technology service for matching common factors between those datasets.

We share information with vendors, consultants, agents, and partners for business and commercial purposes to help us provide or improve our services or our Website. Our vendors include, but are not limited to, analytics and technology companies. Vendors may act as our service providers, or in certain contexts, independently decide how to process your information.

We share information with our related entities including our parent and sister companies for business purposes such as customer support, marketing, and technical operations. We also may share information with affiliates for commercial purposes.

We share information you make public through the Website, such as information that you post related to reviews of partners. Please think carefully before making information public as you are solely responsible for any information you make public. Once you have posted information, you may not be able to edit or delete such information, subject to additional rights set out in the “Your Rights and Choices” section below.

We also share information with other entities in the following situations:

  • Where you have given us your consent to share or use information about you;
  • When we believe that we need to share information about you to provide a service that you have requested from us or from others;
  • Where we are required by law or other legal process to disclose information, and where required, in response to a lawful request by public authorities, including meeting national security or law enforcement requirements.
  • Where we believe that it is necessary to avoid liability or violations of the law;
  • To protect the rights, property, life, health, security and safety of us, the Website or anyone else;
  • To an actual or potential buyer (and its agents and advisers) in connection with any actual or proposed purchase, merger or acquisition of all or any part of our business, provided that we inform the buyer it must use your information only for the purposes disclosed in this Policy;
  • At your request or direction, such as when you choose to share information with a social network about your activities on the Website; or
  • To any other person with notice to you and your consent to the disclosure.

Notwithstanding the above, we may share information that does not identify you (including information that has been aggregated or de-identified) except as prohibited by applicable law. For information on your rights and choices regarding how we share information about you, please see the “Your Rights and Choices” section below.

Return to top


INTEGRATIONS. We offer parts of our Website through websites, platforms, and services operated or controlled by separate entities. In addition, we integrate technologies operated or controlled by separate entities into parts of our Website. Some examples include:

  • Links. Our Website includes links that hyperlink to websites, platforms, and other services not operated or controlled by us.
  • Liking, Sharing, and Logging-In. We may embed a pixel or SDK on our Website that allows you to “like” or “share” content on, or log in to, your account through social media. If you choose to engage with such integration, we may receive information from the social network that you have authorized to share with us. Please note that the social network may independently collect information about you through the integration.
  • Brand Pages and Chatbots. We may offer our content through social media. Any information you provide to us when you engage with our content is treated in accordance with this Policy. Also, if you publicly reference our Website on social media (e.g., by using a hashtag associated with athenahealth in a tweet or post), we may use your reference on or in connection with our Website.
  • Platform Linking. Our Website may offer you the ability to link to another service or partner in order to retrieve certain data about your account on that service. For example, if you link your account to one of the partners in the athenahealth marketplace, the linking may allow us to obtain information such as your username and email address. For more information about how these platforms handle information about you, please refer to their respective privacy policies and terms of use.

Please note that when you interact with other entities, including when you leave our Website, those entities may independently collect information about you and solicit information from you. The information collected and stored by those entities remains subject to their own policies and practices, including what information they share with us, your rights and choices on their services and devices, and whether they store information in the U.S. or elsewhere. We encourage you to familiarize yourself with and consult their privacy policies and terms of use.

Return to top


  • Cookies and Pixels. Most browsers accept cookies by default. You can instruct your browser, by changing its settings, to decline or delete cookies. If you use multiple browsers on your device, you will need to instruct each browser separately. Your ability to limit cookies is subject to your browser settings and limitations.
  • Advertising. The companies we work with to provide you with targeted ads may be participants of the Digital Advertising Alliance (“DAA”) and/or the Network Advertising Initiative (“NAI”). To learn more about the targeted ads provided by these companies, and how to opt out of receiving certain targeted ads from them, please visit: (i) for website targeted ads from DAA participants,; (ii) for app targeted ads from DAA participants,; and (iii) for targeted ads from NAI participants, Opting out only means that the selected participants should no longer deliver certain targeted ads to you but does not mean you will no longer receive any targeted content and/or ads.
  • Matched Ads. To opt out of us using your data for Matched Ads, please contact us as set forth in the “Contact Us” section below and specify that you wish to opt out of matched ads. We will request that the applicable technology service not serve you matched ads based on information we provide to it. We may require assistance to remove any associated cookies. Alternatively, you may directly contact the applicable technology service to opt out.
  • Mobile Devices. You may also limit our use of information collected from or about your mobile device for purposes of serving targeted ads to you by going to your device settings and selecting “Limit Ad Tracking” (for iOS devices) or “Opt-out of Interest-Based Ads” (for Android devices).

Please note that if you opt-out using any of these methods, the opt-out will only apply to the specific browser or device from which you opt-out. We are not responsible for the effectiveness of, or compliance with, any opt-out options or programs, or the accuracy of any other entities’ statements regarding their opt-out options or programs.

Return to top


This Website is intended for a general audience and is not intended for minors under the age of eighteen. athenahealth does not wish to obtain any information from or about such minors through this Website. If you are under eighteen years old, do not use this Website. Our Website includes social media features, including “sharing” functions on Facebook and Twitter. Your interactions with these features are governed by the privacy policies of the companies providing these features, and we do not control and are not responsible for the privacy practices of, or the data available on, the websites of third parties.

We do not knowingly gather personal information (as defined by the U.S. Children’s Privacy Protection Act, or “COPPA”) in a manner not permitted by COPPA. If you are a parent or guardian and you believe we have collected information from your child in a manner not permitted by law, contact us at We will remove the data to the extent required by applicable laws.

We do not knowingly “sell,” as that term is defined under the CCPA, the personal information of minors under 16 years old who are California residents.

If you are a California resident under 18 years old, you can ask us to remove any content or information you have posted on the Website. To make a request, email us at the email address set out in “Contact Us” section with “California Under 18 Content Removal Request” in the subject line, and tell us what you want removed. We will make reasonable good faith efforts to remove the post from prospective public view, although we cannot ensure the complete or comprehensive removal of the content and may retain the content as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.

Return to top


We are based in the U.S. and the information we collect is governed by U.S. law. If you are accessing the Website from outside of the U.S., please be aware that information collected through the Website may be transferred to, processed, stored, and used in the U.S. and other jurisdictions. Data protection laws in the U.S. and other jurisdictions may be different from those of your country of residence. Your use of the Website or provision of any information therefore constitutes your consent to the transfer to and from, processing, usage, sharing, and storage of information about you in the U.S. and other jurisdictions as set out in this Policy.

Return to top

X. “stateofsmart” APP

This section of this Policy describes your use of the “State of Smart” mobile application (“stateofsmart,” “application,” “app”). stateofsmart is an app intended be a portrait generator that converts a photographic image of your face into a colorful cartoon illustration. stateofsmart is available for download through the Apple and Android app stores.

stateofsmart is not intended to be used by children or minors under the age of 18. We do not knowingly solicit or collect personal information from children or minors under the age of 18 through stateofsmart.

Certain pieces of information will be collected from you when you use the stateofsmart application. When you download stateofsmart, you will be asked to identify whether you are an employee of athenahealth or a healthcare worker. If you select that you an ‘employee’ when accessing the application, you will be asked to provide the following personal information: First Name, Last Name, Email, Department, and Office Location. If you are an employee of athenahealth, the terms governing the use and collection of your information, including the portrait generated through your use of stateofsmart, include any employment agreement you have with athenahealth, its subsidiaries and/or its affiliates.

If you are not an employee of athenahealth, its subsidiaries and/or its affiliates, you will select that you are a ‘healthcare worker’ when accessing the application. You will be asked to provide the following personal information: First name, Last name, Email, State (dropdown selection), Business Name (optional), and Business role (optional).

The information you provided through stateofsmart will be used to send you an email containing your illustrated portrait for your use. The information you provide through stateofsmart is only shared outside of athenahealth with vendors integrated into the application who develop the illustrated portrait. These vendors have a contractual agreement with athenahealth which restricts their use of your information to the purpose of providing the services within the stateofsmart app.

In order to receive your illustration, you will be prompted to take a picture through the camera integrated into your device. You will not be able to upload a photograph into the application unless you grant stateofsmart access to your device camera. stateofsmart will then use the photograph taken with your device camera to generate a colorful illustration that resembles the image in your photograph. You can then customize the illustration with a library of different features. We do not use the photographs you provide when you use the stateofsmart for any reason other than to generate the portrait and do not receive the image itself.

You also have the option to ‘opt into marketing,’ when accessing stateofsmart which, when checked, will give athenahealth permission to us to use your illustration and/or the information you provided in the application for marketing purposes, which may include use of your portrait or information on our Website, digital advertisements and in printed materials. Granting athenahealth permission to use your illustration or the information you entered into the application is entirely voluntary. Users of the application do not have to opt into marketing in order to use the stateofsmart app.

If at any time you wish to revoke your previously provided selection to ‘opt into marketing’, you may go into stateofsmart app and uncheck the ‘opt into marketing’ option available on the screen where you insert your email address, or you can email us at By unchecking ‘opt into marketing,’ your portrait and the information you provided to the stateofsmart app, from that point going forward, will not be utilized for any marketing purpose, including the Website, digital advertisements, or in printed materials. If you do not choose to ‘opt into marketing,’ the information you provide to us, including your portrait, will not be used for any purpose other than for generation of the illustration and contacting you in connection with your use of stateofsmart.

athenahealth reserves the right to not generate a portrait at its sole discretion for any reason.

If you have any questions about stateofsmart and/or the information collected/used, please email

Return to top

XI. “athenaCapture” APP

This section of this Policy describes your use of the athenaCapture mobile application (“athenaCapture”). athenaCapture is an application intended to be used by Authorized Users of athenaNet.To access and use athenaCapture, you must be designated as an Authorized User pursuant to a Services Agreement (the "Services Agreement") entered by, and currently in effect, among athenahealth, Inc., and the organization(s) you are accessing this application on behalf of (each, an “Athenahealth Customer"). athenaCapture is a mobile application that is designed to provide the interface for healthcare providers (“Providers”) who are Authorized Users of an Athenahealth Customer, to allow such Providers to upload image information, acting in your capacity as an Authorized User, while using your phone.

athenaCapture is not intended to be used by children or minors under the age of 18. We do not knowingly solicit or collect personal information from children or minors under the age of 18 through athenaCapture.

Certain pieces of information will be collected from you when you use the athenaCapture application including the following:

  1. Information related to you and your use of athenaCapture including, but not limited to, device identification numbers, location (including city, country, region, and IP address), phone details (for example operating system information, app version being used, etc.), and language used;
  2. Information related to you as a Provider and the Athenahealth Customer associated with your use of athenaCapture including your athenaNet username, related Athenahealth Customer identifying information (for example, department identification information), and technical identification information including backend database related information;
  3. Information related to your device including the device identifier/instance identifier and name, model, Operating/System version, device brand name, and username used on the device;
  4. Information related to the document being scanned through your use of athenaCapture. For example, we collect information to enable document identification, associated chart information, document bar code, department identification, document class, timestamps;
  5. Information related to the functioning and utility of athenaCapture. For example, we collect information related to crashes (including time and date of the crash as well as the nature and cause of the crash). Information related to the functioning and utility of athenaCapture may also include information collected in connection with related codes/signals and corresponding phone details;
  6. Information related to the app itself. That is, we may collect information about the version of the app being used, how often it is being used, and what context (workflows) it is being used for. Additionally, information collected about the app includes information about the application events and document information.

The information you provided through athenaCapture will be used to:

  • Make athenaCapture available to you;
  • Provide athenaNet services to Athenahealth Customers; and for
  • Analytics purposes to ensure the app is working as intended.

You and the Athenahealth Customer are responsible for ensuring all consents, authorizations and permissions are obtained in advance of using, or submitting any information through, athenaCapture.

The information you provide through athenaCapture is shared outside of athenahealth with vendors who provide services in order for athenaCapture to function. These vendors have a contractual agreement with athenahealth which restricts their use of your information to the purpose of providing services to athenahealth. The information collected is also shared with the Athenahealth Customer who you are accessing the athenaCapture on behalf of.

We employ safeguards for the security of athenaCapture. To protect patient privacy, images pass directly from the athenaCapture app to athenaNet and are never stored unsecured on a device, such as a camera roll or a memory card inserted into a camera. All communication between the athenaCapture and athenaNet is secured by Transport Layer Security (TLS). TLS is a cryptographic protocol that provides communication security over a computer network. Barcode keys are employed when capturing the information through athenaCapture and the barcode contains a one-time-use key that is random and unique and is used to recognize the incoming web service transaction. Additionally, the athenaCapture app enforces a maximum session time, after which you are required to restart the session.

If you are a patient of an Athenahealth Customer and have any questions or concerns regarding the athenaCapture app, please contact your healthcare provider directly.

Return to top


Effective Date: January 1st, 2020

Last Reviewed: February 8, 2021

This Privacy Notice for California Residents (“Notice”) supplements the information contained in this Policy and included above, and applies solely to visitors, users, and others who reside in the State of California ("consumers" or "you"). We adopt this Notice to comply with the California Consumer Privacy Act of 2018 (“CCPA”) and any terms defined in the CCPA have the same meaning when used in this Notice.

Where noted in this Notice, the CCPA temporarily exempts personal information reflecting a written or verbal business-to-business communication ("B2B personal information") from some its requirements.

Information We Collect

We collect information that identifies, relates to, describes, references, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer, household, or device ("personal information"). Personal information does not include:

  • Publicly available information from government records.
  • Deidentified or aggregated consumer information.
  • Information excluded from the CCPA's scope, like:
    • Health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data.

In particular, our Website has collected the following categories of personal information from its consumers within the last twelve (12) months:

Category Examples Collected
A. Identifiers. A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver's license number, passport number, or other similar identifiers. YES
B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)). A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Some personal information included in this category may overlap with other categories. YES
C. Protected classification characteristics under California or federal law. Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information). NO
D. Commercial information. Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies. YES
E. Biometric information. Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data. Yes (only applicable for stateofsmart application)
F. Internet or other similar network activity. Browsing history, search history, information on a consumer's interaction with a website, application, or advertisement. YES
G. Geolocation data. Physical location or movements. YES
H. Sensory data. Audio, electronic, visual, thermal, olfactory, or similar information. NO
I. Professional or employment-related information. Current or past job history or performance evaluations. YES
J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)). Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records. NO
K. Inferences drawn from other personal information. Profile reflecting a person's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. YES

We obtain the categories of personal information listed above from the following categories of sources:

  • Directly from you. For example, from forms you complete or products and services you purchase.
  • Indirectly from you. For example, from observing your actions on our Website.

For more information on the information we collect, including the sources we receive information from, review the What Information Do We Collect? section above.

For more information on the information we collect, including the sources we receive information from, review the What Information Do We Collect? section above. athenahealth does not generally sell information as the term “sell” is traditionally understood. For more information about the sale of information for Epocrates, please visit the Epocrates privacy policy. To the extent “sale” under the CCPA is interpreted to include advertising technology activities such as those disclosed in the How Do We Use Your Information and the Social Media and Technology Integrations sections as a “sale,” we will comply with applicable law as to such activity. athenahealth discloses the following categories of personal information for commercial purposes: identifiers, demographic information, commercial information, internet activity, geolocation data and inferences. We use and partner with different types of entities to assist with our daily operations and manage our Website. Please review the Sharing Your Information section for more detail about the parties we have shared information with. Notwithstanding the foregoing, Epocrates, a subsidiary of athenahealth, Inc., is subject to its own privacy practices and privacy policy available on the Epocrates app or on

With respect to deidentified patient information, we disclose such deidentified information to third parties only when permissible pursuant to our contractual commitments with clients and in accordance with Health Insurance Portability and Accountability Act (“HIPAA”) requirements or other applicable law.  We employ the safe harbor method or the expert determination method, as enumerated under HIPAA.  Those third parties to whom the deidentified data is disclosed are third party service providers/vendors with whom we have relationships and/or academic researchers and/or institutions that are contributing to the improvement of healthcare.  

Use of Personal Information

We collect and use personal information for business and commercial purposes in accordance with practices described in this Policy, including in the last 12 months, one or more of the following business purposes:

  • To fulfill or meet the reason you provided the information. For example, if you share your name and contact information to request a price quote or ask a question about our products or services, we will use that personal information to respond to your inquiry. We may also save your information to facilitate new product orders.
  • To provide, support, personalize, and develop our Website, products, and services.
  • To create, maintain, customize, and secure your account with us.
  • To process your requests, purchases, transactions, and payments and to prevent transactional fraud.
  • To provide you with support and to respond to your inquiries, including to investigate and address your concerns and monitor and improve our responses.
  • To personalize your Website experience and to deliver directly to you content and product and service offerings relevant to your interests, including offers and ads through our Website, and via email.
  • To help maintain the safety, security, and integrity of our Website, products and services, databases and other technology assets, and business.
  • To help prevent and address fraud, breach of policies or terms, and threats or harm.
  • Sending you technical notices, updates, security alerts, information regarding changes to our policies, and support and administrative messages.
  • For testing, research, analysis, and product development, including to develop and improve our Website, products, and services.
  • To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations.
  • As described to you when collecting your personal information or as otherwise set forth in the CCPA.
  • To evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by us is among the assets transferred.
  • To send you advertising.
  • To fulfil any other business or commercial purposes at your direction or with your notice and/or consent.

Your Rights and Choices

The CCPA provides consumers (California residents) with specific rights regarding their personal information. This section describes your CCPA rights and explains how to exercise those rights.

Right to Know

You have the right to request that we disclose certain information to you about our collection and use of your personal information in the preceding 12 months. Once we receive and confirm your verifiable consumer request (see Exercising Access, Data Portability, and Deletion), we will disclose to you, based upon your request:

  • The categories of personal information we collected about you.
  • The categories of sources for the personal information we collected about you.
  • Our business or commercial purpose for collecting or selling that personal information.
  • The categories of third parties with whom we share that personal information.
  • The specific pieces of personal information we collected about you (also called a data portability request).
  • If we sold or disclosed your personal information for a business purpose, two separate lists disclosing:
    • sales, identifying the personal information categories that each category of recipient purchased; and
    • disclosures for a business purpose, identifying the personal information categories that each category of recipient obtained.

We do not provide these access and data portability rights for B2B personal information.

Right to Delete

You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies. We may deny your deletion request if retaining the information is necessary for us or our service provider(s) to:

  • Complete the transaction for which we collected the personal information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, fulfill the terms of a written warranty, or otherwise perform our contract with you.
  • Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
  • Debug products to identify and repair errors that impair existing intended functionality.
  • Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
  • Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.).
  • Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
  • Comply with a legal obligation.
  • Make other internal and lawful uses of that information that are compatible with the context in which you provided it.

We do not provide these deletion rights for B2B personal information.

Exercising Your Right to Know and Right to Delete

To exercise the access, data portability, and deletion rights described above, please submit a verifiable consumer request to us by either:

Submitting a request at

Calling our toll-free number at 888-807-2076

Sending an email to

Only you, or someone legally authorized to act on your behalf, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child. The verifiable consumer request must provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative, which may include:

  • First and last name, email address, date of birth and username (as applicable).
  • Description of your request with sufficient detail that allows us to properly understand, evaluate, and respond.

We cannot substantively respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you, except where the CCPA does not require a verifiable request for a response. We will only use personal information provided in a verifiable consumer request to verify the requestor's identity or authority to make the request.

You may only make a consumer request for access or data portability twice within a 12-month period.

Response Timing and Format

We endeavor to respond to a consumer request within forty-five (45) days of its receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing.

Any disclosures we provide will only cover the 12-month period preceding the consumer request's receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable.

Right to Opt-Out and Opt-In

To the extent athenahealth sells your personal information as the term “sell” is defined under the CCPA, you have the right to direct us to not sell your personal information at any time (the "right to opt-out"). Consumers who opt-in to personal information sales may opt-out of future sales at any time.

To exercise the right to opt-out, you (or your authorized representative) may submit a request to us by visiting the following Internet Web page link "Do Not Sell My Personal Information". You may also submit a request to opt-out by calling our toll-free number at 888-807-2076, or  by emailing us at

Once you make an opt-out request, you may change your mind and opt back into personal information sales at any time by emailing us at


We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not:

  • Deny you goods or services.
  • Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
  • Provide you a different level or quality of goods or services.
  • Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

Other California Privacy Rights

California's "Shine the Light" law (Civil Code Section § 1798.83) permits users of our Website that are California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes in particular: Customers who are residents of California may request (i) a list of the categories of personal information disclosed by us to third parties during the immediately preceding calendar year for those third parties’ own direct marketing purposes; and (ii) a list of the categories of third parties to whom we disclosed such information. To make such a request, please send an email to write us at: Chief Compliance Officer, athenahealth, Inc. 311 Arsenal Street, Watertown, MA 02472. We may require additional information from you to allow us to verify your identity and only required to respond to requests once during any calendar year.

Return to top


We reserve the right to make updates and revisions to this Policy at our discretion and at any time. When we make changes to this Policy, we will post the updated notice on the Website and update the effective date. Any changes will be effectively as of the “Updated” date. Your continued use of our Website following the posting of changes constitutes your acceptance of such changes.

Return to top


If you have any questions or comments about this Policy, the ways in which athenahealth collects and uses your information described here, your choices and rights regarding such use, or you wish to exercise your rights under California law, please contact us at:

Calling us at 888-807-2076


Emailing us at

Or writing to:

athenahealth, Inc.
Attn: Chief Compliance Officer
311 Arsenal Street
Watertown, MA 02472

If you have a disability and would like to access this Policy in an alternative format, please contact us at 888-807-2076.

Return to top