Updated December 31, 2019
Table of contents
- SCOPE AND PURPOSE
- WHAT DOES ATHENAHEALTH DO?
- WHAT INFORMATION DO WE COLLECT?
- HOW DO WE USE YOUR INFORMATION?
- SHARING YOUR INFORMATION
- SOCIAL MEDIA AND TECHNOLOGY INTEGRATIONS
- YOUR RIGHTS AND CHOICES
- INTERNATIONAL TRANSFER
- CALIFORNIA PRIVACY RIGHTS NOTICE
- CONTACT INFORMATION
I. SCOPE AND PURPOSE:
II. WHAT DOES ATHENAHEALTH DO?
athenahealth is a provider of network-enabled services for hospital and ambulatory customers nationwide, headquartered in the United States. For more information about athenahealth, please see the “About” section of the Website at www.athenahealth.com.
III. WHAT INFORMATION DO WE COLLECT?
The following types of information may be collected on the Website:
- We may collect information you provide us if you access, voluntary enter information into, or sign up for or request certain services from us on our Website. For example, if you are interested in learning more about athenahealth and the services and products we offer, we may ask for information such as your name, practice/organization name, size and address, email address, telephone number, type of user (patient, provider, partner), and city/state. If you have an account with us, we may also collect your username or other login information (e.g., Practice ID) you use to log into or access your account. If you are a partner submitting a lead to us, we will collect information related to you as a partner as well as information related to the lead including details about the organization, address, contact information, needs, past purchase history, and purchaser preferences.
- When you visit our Website, we may gather certain information about your visit and your device automatically. This information may, for example, reflect how you found, were directed to or used this Website. Similarly, we may collect your IP address, geolocation information, browser type and version, and other data about the equipment used to visit the Website, as well as your patterns of searching and browsing that preceded access to the Website, and the patterns of searching and browsing on the Website.
- We may also collect information from other sources, including but not limited to the following categories of sources: consumers or users of the Website, data brokers or resellers from which we purchase data to supplement the data we collect, social networks when you engage with our content, reference our Website, or grant us permission to access information from the social networks, partners that offer co-branded services, sell or distribute our products, or engage in joint marketing activities, and information that is publicly available.
Our processing of data received from our customers (“Customer Data”) is governed by the agreements we enter into with our customers, which may include Business Associate Agreements as applicable and required under the Health Insurance Portability and Accountability Act (“HIPAA”). Our customers may also have their own privacy practices and/or policies that govern their collection and use of your data. We are not responsible for how our customers treat the information we collect on their behalf, and we recommend you review their own privacy policies. For further information on your rights and choices regarding Customer Data, see the “Your Rights and Choices” section below.
The Website does not respond to web browsers’ Do Not Track signals. Thus, your selection of the “do not track” option provided by your browser may not have any effect on our collection of cookie information for analytic and internal purposes. For more information on “Do Not Track,” visit http://www.allaboutdnt.com.
IV. HOW DO WE USE YOUR INFORMATION?
We use information collected through tracking technologies, such as log files, cookies and web beacons when you use the Website. For example:
- We track the number and activities of visitors using certain portions or features of the Website to make changes that may be necessary to improve or optimize the Website’s functionality and identify areas of interest to our visitors;
- We track the popularity of features on the Website to inform the development of new ones;
- We identify the types of devices our visitors use so that we can improve and optimize our systems and services;
- We identify the type of visitors to the Website to determine whether such users are existing clients or prospective clients for marketing and sales generation purposes; and
- We assess the ways in which users become aware of or access the Website in order to gauge the quality and methods of our advertising.
- If you provide us with your information in connection with your interest in our products or services (e.g., through webforms), we will use such information to reach out to you about our products or services.
- If you provide us with your information, we may use it for our own marketing, promotional, and informational purposes, including solicitations, invitations, newsletters, awareness campaigns, and announcements.
- When you provide information on our Website or have an account with us, we may use your information to reach out to you and ask if you would like to participate in studies or respond to questions about how the services we offer do or do not meet your needs or can be improved (“Usability Activities”).
We use the information for the purposes explained at the time of collection, as described in this Policy and our Terms, and for our business purposes. For example:
We will not retain your information, whether obtained through tracking technologies or provided by you, longer than necessary to fulfill the purposes for which it was collected or as required by applicable laws or regulations. Wherever your information may be held by athenahealth or on its behalf, athenahealth takes reasonable and appropriate administrative, physical, and technical security safeguards to protect the information that you share with us from loss, theft, misuse and unauthorized access, alteration, destruction, and disclosure. In addition, athenahealth and its service providers enter into agreements which require that care and precautions be taken to prevent loss, misuse, or disclosure of your information. Nevertheless, transmission via the internet is not completely secure and we cannot guarantee the security of information about you.
Notwithstanding the above, we may use information that does not identify you (including information that has been aggregated or de-identified) for any purpose except as prohibited by applicable law. For information on your rights and choices regarding how we use information about you, please see the “Your Rights and Choices” section below.
V. SHARING YOUR INFORMATION
We engage certain service providers and third parties to process information on our behalf for business purposes. Service providers and third parties are used, for example, to track and associate internet search and browsing behavior with our advertisements, to provide analytics, and to provide functionality on the Website. In addition, we may share Website usage and information with these service providers and third parties to manage our content, administer ads, provide insights to us related to marketing needs, for market research purposes, and to analyze our marketing efforts.
We work with agencies, advertisers, ad networks, and other technology services to place ads about our products and services on other websites and services.
We use tracking technologies such as cookies and web beacons, and other storage technologies to collect or receive information and use that information to provide measurement services, analytics, and to deliver relevant ads and/or other content to you (“Interest-based Advertising”). More specifically, these companies use information about your activities across time and services for purposes of associating different devices you use, and to provide ads about goods and services of interest to you.
We share information with vendors, consultants, agents, and partners for business and commercial purposes to help us provide or improve our services or our Website. Our vendors include, but are not limited to, analytics and technology companies. Vendors may act as our service providers, or in certain contexts, independently decide how to process your information.
We share information with our related entities including our parent and sister companies for business purposes such as customer support, marketing, and technical operations. We also may share information with affiliates for commercial purposes.
We share information you make public through the Website, such as information that you post related to reviews of partners. Please think carefully before making information public as you are solely responsible for any information you make public. Once you have posted information, you may not be able to edit or delete such information, subject to additional rights set out in the “Your Rights and Choices” section below.
We also share information with other entities in the following situations:
- • Where you have given us your consent to share or use information about you;
- When we believe that we need to share information about you to provide a service that you have requested from us or from others;
- Where we are required by law or other legal process to disclose information, and where required, in response to a lawful request by public authorities, including meeting national security or law enforcement requirements.
- Where we believe that it is necessary to avoid liability or violations of the law;
- To protect the rights, property, life, health, security and safety of us, the Website or anyone else;
- To an actual or potential buyer (and its agents and advisers) in connection with any actual or proposed purchase, merger or acquisition of all or any part of our business, provided that we inform the buyer it must use your information only for the purposes disclosed in this Policy;
- At your request or direction, such as when you choose to share information with a social network about your activities on the Website; or
- To any other person with notice to you and your consent to the disclosure.
Notwithstanding the above, we may share information that does not identify you (including information that has been aggregated or de-identified) except as prohibited by applicable law. For information on your rights and choices regarding how we share information about you, please see the “Your Rights and Choices” section below.
VI. SOCIAL MEDIA AND TECHNOLOGY INTEGRATIONS
We offer parts of our Website through websites, platforms, and services operated or controlled by separate entities. In addition, we integrate technologies operated or controlled by separate entities into parts of our Website. Some examples include:
- • Links. Our Website includes links that hyperlink to websites, platforms, and other services not operated or controlled by us.
- Liking, Sharing, and Logging-In. We may embed a pixel or SDK on our Website that allows you to “like” or “share” content on, or log in to, your account through social media. If you choose to engage with such integration, we may receive information from the social network that you have authorized to share with us. Please note that the social network may independently collect information about you through the integration.
- Brand Pages and Chatbots. We may offer our content through social media. Any information you provide to us when you engage with our content is treated in accordance with this Policy. Also, if you publicly reference our Website on social media (e.g., by using a hashtag associated with athenahealth in a tweet or post), we may use your reference on or in connection with our Website.
VII. YOUR RIGHTS AND CHOICES
- Cookies and Pixels. Most browsers accept cookies by default. You can instruct your browser, by changing its settings, to decline or delete cookies. If you use multiple browsers on your device, you will need to instruct each browser separately. Your ability to limit cookies is subject to your browser settings and limitations.
- Advertising. The companies we work with to provide you with targeted ads may be participants of the Digital Advertising Alliance (“DAA”) and/or the Network Advertising Initiative (“NAI”). To learn more about the targeted ads provided by these companies, and how to opt out of receiving certain targeted ads from them, please visit: (i) for website targeted ads from DAA participants, https://www.aboutads.info/choices; (ii) for app targeted ads from DAA participants, https://www.aboutads.info/appchoices; and (iii) for targeted ads from NAI participants, https://www.networkadvertising.org/choices/. Opting out only means that the selected participants should no longer deliver certain targeted ads to you but does not mean you will no longer receive any targeted content and/or ads.
- Matched Ads. To opt out of us using your data for Matched Ads, please contact us as set forth in the “Contact Us” section below and specify that you wish to opt out of matched ads. We will request that the applicable technology service not serve you matched ads based on information we provide to it. We may require assistance to remove any associated cookies. Alternatively, you may directly contact the applicable technology service to opt out.
- Mobile Devices. You may also limit our use of information collected from or about your mobile device for purposes of serving targeted ads to you by going to your device settings and selecting “Limit Ad Tracking” (for iOS devices) or “Opt-out of Interest-Based Ads” (for Android devices).
Please note that if you opt-out using any of these methods, the opt-out will only apply to the specific browser or device from which you opt-out. We are not responsible for the effectiveness of, or compliance with, any opt-out options or programs, or the accuracy of any other entities’ statements regarding their opt-out options or programs.
This Website is intended for a general audience and is not intended for minors under the age of eighteen. athenahealth does not wish to obtain any information from or about such minors through this Website. If you are under eighteen years old, do not use this Website. Our Website includes social media features, including “sharing” functions on Facebook and Twitter. Your interactions with these features are governed by the privacy policies of the companies providing these features, and we do not control and are not responsible for the privacy practices of, or the data available on, the websites of third parties.
We do not knowingly gather personal information (as defined by the U.S. Children’s Privacy Protection Act, or “COPPA”) in a manner not permitted by COPPA. If you are a parent or guardian and you believe we have collected information from your child in a manner not permitted by law, contact us at firstname.lastname@example.org. We will remove the data to the extent required by applicable laws.
We do not knowingly “sell,” as that term is defined under the CCPA, the personal information of minors under 16 years old who are California residents.
If you are a California resident under 18 years old, you can ask us to remove any content or information you have posted on the Website. To make a request, email us at the email address set out in “Contact Us” section with “California Under 18 Content Removal Request” in the subject line, and tell us what you want removed. We will make reasonable good faith efforts to remove the post from prospective public view, although we cannot ensure the complete or comprehensive removal of the content and may retain the content as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.
IX. INTERNATIONAL TRANSFER
We are based in the U.S. and the information we collect is governed by U.S. law. If you are accessing the Website from outside of the U.S., please be aware that information collected through the Website may be transferred to, processed, stored, and used in the U.S. and other jurisdictions. Data protection laws in the U.S. and other jurisdictions may be different from those of your country of residence. Your use of the Website or provision of any information therefore constitutes your consent to the transfer to and from, processing, usage, sharing, and storage of information about you in the U.S. and other jurisdictions as set out in this Policy.
X. PRIVACY NOTICE FOR CALIFORNIA RESIDENTS
Effective Date: January 1st, 2020
Last Reviewed: December 31, 2019
This Privacy Notice for California Residents (“Notice”) supplements the information contained in this Policy and included above, and applies solely to visitors, users, and others who reside in the State of California ("consumers" or "you"). We adopt this Notice to comply with the California Consumer Privacy Act of 2018 (“CCPA”) and any terms defined in the CCPA have the same meaning when used in this Notice.
Where noted in this Notice, the CCPA temporarily exempts personal information reflecting a written or verbal business-to-business communication ("B2B personal information") from some its requirements.
Information We Collect
We collect information that identifies, relates to, describes, references, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer, household, or device ("personal information"). Personal information does not include:
- Publicly available information from government records.
- Deidentified or aggregated consumer information.
- Information excluded from the CCPA's scope, like:
- o Health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data.
In particular, our Website has collected the following categories of personal information from its consumers within the last twelve (12) months:
|A. Identifiers.||A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver's license number, passport number, or other similar identifiers.||YES|
|B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)).||A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Some personal information included in this category may overlap with other categories.||YES|
|C. Protected classification characteristics under California or federal law.||Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information).||YES|
|D. Commercial information.||Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.||YES|
|E. Biometric information.||Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data.||NO|
|F. Internet or other similar network activity.||Browsing history, search history, information on a consumer's interaction with a website, application, or advertisement.||YES|
|G. Geolocation data.||Physical location or movements.||YES|
|H. Sensory data.||Audio, electronic, visual, thermal, olfactory, or similar information.||NO|
|I. Professional or employment-related information.||Current or past job history or performance evaluations.||YES|
|J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)).||Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.||NO|
|K. Inferences drawn from other personal information.||Profile reflecting a person's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.||YES|
We obtain the categories of personal information listed above from the following categories of sources:
- Directly from you. For example, from forms you complete or products and services you purchase.
- Indirectly from you. For example, from observing your actions on our Website.
For more information on the information we collect, including the sources we receive information from, review the What Information Do We Collect? section above.
Our Website is intended to provide information to our business clients and job applicants. If you are a business client or job applicant, you understand and agree that information collected about you is solely within the context of (i) your role as an employee, job applicant, owner, director, officer, or contractor or (ii) athenahealth conducting due diligence regarding, or providing or receiving a product or service to or from your employer.
If you are a California resident and we, as a service provider, have processed personal information about you on behalf of our clients and you wish to exercise your CCPA rights, please inquire with our client directly. If you wish to make your request directly to us, please provide the name of our client on whose behalf we processed your personal information. We will refer your request to that client and will support them to the extent required by California privacy law in responding to your request.
Use of Personal Information
We collect and use personal information for business and commercial purposes in accordance with practices described in this Policy, including in the last 12 months, one or more of the following business purposes:
- To fulfill or meet the reason you provided the information. For example, if you share your name and contact information to request a price quote or ask a question about our products or services, we will use that personal information to respond to your inquiry. We may also save your information to facilitate new product orders.
- To provide, support, personalize, and develop our Website, products, and services.
- To create, maintain, customize, and secure your account with us.
- To process your requests, purchases, transactions, and payments and to prevent transactional fraud.
- To provide you with support and to respond to your inquiries, including to investigate and address your concerns and monitor and improve our responses.
- To personalize your Website experience and to deliver directly to you content and product and service offerings relevant to your interests, including offers and ads through our Website, and via email.
- To help maintain the safety, security, and integrity of our Website, products and services, databases and other technology assets, and business.
- To help prevent and address fraud, breach of policies or terms, and threats or harm.
- Sending you technical notices, updates, security alerts, information regarding changes to our policies, and support and administrative messages.
- For testing, research, analysis, and product development, including to develop and improve our Website, products, and services.
- To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations.
- As described to you when collecting your personal information or as otherwise set forth in the CCPA.
- To evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by us is among the assets transferred.
- To send you advertising.
- To fulfil any other business or commercial purposes at your direction or with your notice and/or consent.
Your Rights and Choices
The CCPA provides consumers (California residents) with specific rights regarding their personal information. This section describes your CCPA rights and explains how to exercise those rights.
Right to Know
You have the right to request that we disclose certain information to you about our collection and use of your personal information in the preceding 12 months. Once we receive and confirm your verifiable consumer request (see Exercising Access, Data Portability, and Deletion 0), we will disclose to you, based upon your request:
- The categories of personal information we collected about you.
- The categories of sources for the personal information we collected about you.
- Our business or commercial purpose for collecting or selling that personal information.
- The categories of third parties with whom we share that personal information.
- The specific pieces of personal information we collected about you (also called a data portability request).
- If we sold or disclosed your personal information for a business purpose, two separate lists disclosing:
- sales, identifying the personal information categories that each category of recipient purchased; and
- disclosures for a business purpose, identifying the personal information categories that each category of recipient obtained.
We do not provide these access and data portability rights for B2B personal information.
Right to Delete
You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies. We may deny your deletion request if retaining the information is necessary for us or our service provider(s) to:
- Complete the transaction for which we collected the personal information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, fulfill the terms of a written warranty, or otherwise perform our contract with you.
- Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
- Debug products to identify and repair errors that impair existing intended functionality.
- Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
- Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.).
- Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
- Comply with a legal obligation.
- Make other internal and lawful uses of that information that are compatible with the context in which you provided it.
We do not provide these deletion rights for B2B personal information.
Exercising Your Right to Know and Right to Delete
To exercise the access, data portability, and deletion rights described above, please submit a verifiable consumer request to us by either:
Submitting a request at www.athenahealth.com/consumer-privacy-request/
Calling our toll-free number at 888-807-2076
Sending an email to email@example.com
Only you, or someone legally authorized to act on your behalf, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child. The verifiable consumer request must provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative, which may include:
- First and last name, email address, date of birth and username (as applicable).
- Description of your request with sufficient detail that allows us to properly understand, evaluate, and respond.
We cannot substantively respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you, except where the CCPA does not require a verifiable request for a response. We will only use personal information provided in a verifiable consumer request to verify the requestor's identity or authority to make the request.
You may only make a consumer request for access or data portability twice within a 12-month period.
Response Timing and Format
We endeavor to respond to a consumer request within forty-five (45) days of its receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing.
Any disclosures we provide will only cover the 12-month period preceding the consumer request's receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable.
Right to Opt-Out and Opt-In
To the extent athenahealth sells your personal information as the term “sell” is defined under the CCPA, you have the right to direct us to not sell your personal information at any time (the "right to opt-out"). Consumers who opt-in to personal information sales may opt-out of future sales at any time.
To exercise the right to opt-out, you (or your authorized representative) may submit a request to us by visiting the following Internet Web page link "Do Not Sell My Personal Information". You may also submit a request to opt-out by calling our toll-free number at 888-807-2076, or emailing us at firstname.lastname@example.org.
Once you make an opt-out request, you may change your mind and opt back into personal information sales at any time by emailing us at email@example.com.
We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not:
- Deny you goods or services.
- Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
- Provide you a different level or quality of goods or services.
- Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.
Other California Privacy Rights
California's "Shine the Light" law (Civil Code Section § 1798.83) permits users of our Website that are California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes in particular: Customers who are residents of California may request (i) a list of the categories of personal information disclosed by us to third parties during the immediately preceding calendar year for those third parties’ own direct marketing purposes; and (ii) a list of the categories of third parties to whom we disclosed such information. To make such a request, please send an email to write us at: Chief Compliance Officer, athenahealth, Inc. 311 Arsenal Street, Watertown, MA 02472. We may require additional information from you to allow us to verify your identity and only required to respond to requests once during any calendar year.
We reserve the right to make updates and revisions to this Policy at our discretion and at any time. When we make changes to this Policy, we will post the updated notice on the Website and update the effective date. Any changes will be effectively as of the “Updated” date. Your continued use of our Website following the posting of changes constitutes your acceptance of such changes.
If you have any questions or comments about this Policy, the ways in which athenahealth collects and uses your information described here, your choices and rights regarding such use, or you wish to exercise your rights under California law, please contact us at:
Calling us at 888-807-2076
Emailing us at firstname.lastname@example.org
Or writing to:
Attn: Chief Compliance Officer
311 Arsenal Street
Watertown, MA 02472
If you have a disability and would like to access this Policy in an alternative format, please contact us at 888-807-2076.