PRIVACY NOTICE FOR PATIENT FACING APPLICATIONS

Please note: The below Privacy Policy applies to your use of athenahealth’s Services in your capacity as a patient. athenahealth offers such Services on behalf of our HIPAA regulated clients (i.e. your healthcare provider). For the Terms of use and Privacy Policy that apply to your use of our website, athenahealth.com, please visit athenahealth.com.

Table of Contents

We, athenahealth, Inc. and our subsidiaries and affiliates (“athenahealth”, "we", "us") power health care solutions on behalf of your healthcare provider (our “Services”). These Services which include applications, websites and mobile devices, may allow you to communicate, coordinate and manage your medical care with your healthcare provider. When you use the Services, our collection and handling of your information is regulated by the Health Insurance Portability and Accountability Act (“HIPAA”) and our agreements with your healthcare provider. This Privacy Policy describes our practices with respect to the information we obtain about you through the Services in our role as a Business Associate to your healthcare provider.

You may also receive a HIPAA Notice of Privacy Practices from your healthcare provider. If that HIPAA Notice of Privacy Practice conflicts with any provision in this Privacy Policy, your healthcare provider's HIPAA Notice of Privacy Practices will control. We do not control and are not responsible for your healthcare provider's privacy practices. For questions on those practices, please consult your healthcare provider.

Because the information we collect under this Privacy Notice is regulated by HIPAA, it may be exempt from certain U.S. state privacy laws like the California Consumer Privacy Act. You may contact us if you have questions about these exemptions.

Any unauthorized registration for, access or use of our Services, client accounts or Third Party Platforms is strictly prohibited.

What information do we collect?

In accordance with our agreements with your healthcare provider, we may collect your information in the following ways:

  • We collect information you provide us if you access, voluntarily enter information into, or sign up for or request our Services. The information we collect directly from you may include your name, email address, date of birth, contact information, health insurance carrier and plan, phone number(s), information related to your healthcare provider, medical information you provide to us, information related to your payment, and information related to family members and other individuals who are associated with your account.
  • You may also have the option in certain instances to enter additional information in free text fields so that, for example, your healthcare provider can manage your requested services or visit.
  • When you visit the websites or interact with any mobile applications or use our Services, we may gather certain information about your visit/use of the Services and your device. The information we automatically collect includes data about your device (for example, device ID, browser type), language preferences, IP address, information about when you accessed or registered, modified, logged in/out of the Services information related to actions taken on the site and information related to your operating system. We may also collect information that allows us connect the devices that you use to connect to the Services (such as your cell phone and your computer).
  • We may also collect information related to your use of the Services, including any permissions you set, authorizations you provide (including authorizations and information related to any third party platforms you use or access through your accounts), your language and communication preferences, security related information (such as your account credentials, of failed login attempts, timeouts, past passwords, security questions for identity or account validation, number and frequency of username or password resets, and access attempts), and geolocation information.

In addition, we may collect other information as permitted under applicable law or our agreements with your healthcare providers.

Return to top

How do we use your information?

In general, we use your information only in accordance with HIPAA and our agreements with your healthcare provider. This includes, for example:

  • To provide, enhance, secure, support and improve the Services we provide to you and your healthcare provider. This includes to communicate with you in connection with the Services as well as communications related to new features, feedback requests, technical notices and administrative messages;
  • For data analysis, internal management/operations, audits, and compliance with all applicable laws, regulations, and law enforcement requirements;
  • To enable cross-device/cross-context tracking for your log in with athena (“LWA”) account;
  • To fulfill or meet the reason you provided the information, such as registering you for the Services; and
  • To plan and execute security and risk control measures, like fraud and abuse detection and prevention for athenahealth or your healthcare provider.

We may also de-identify and/or aggregate your data for business purposes in accordance with our agreements with your healthcare providers. We de-identify protected health information in accordance with the HIPAA expert determination method and/or the safe harbor method.

Return to top

Sharing your information

In general, we share your information only in accordance with HIPAA and our agreements with your healthcare provider. This includes, for example:

  • With your healthcare provider in the context of providing the Services to your healthcare provider as well as to comply with the contractual obligations we may have to your healthcare provider;
  • With our third-party vendors, consultants, agents, or other service providers or other third parties we use to help us provide or improve the Services;
  • With third parties that your healthcare provider has directed us to share your information, such as in accordance with your authorization or request;
  • That you consent to or direct us to send/receive information to/from pursuant to our agreements with your provider;
  • When we are complying with laws or responding to lawful requests and legal processes or responding to an emergency situation;
  • When we believe it is necessary to protect our rights and the security of the Services, to protect the rights and security of our customers or partners, to avoid liability, and to avoid violations of the law; or
  • In connection with or during negotiation or consummation of any merger, divestiture, restructuring, reorganization, financing, acquisition, or bankruptcy transaction or proceeding involving sale or transfer of all or a portion of our business or assets to another company.

We may have the right under our agreements with your healthcare provider to de-identify data in accordance with HIPAA. We may sell or disclose such de-identified information to third parties.

Return to top

Our use of cookies

We may use cookies on the Services. A cookie is a small file of letters and numbers downloaded on to your computer when you access certain websites. We use cookies to authenticate users, block malicious use of login credentials and shield unauthorized access to our Service. We also may use cookies to collect information about our Services in order to understand and improve our Services. These cookies also help us learn how well our Services operate across different locations and identify any issues in the operation and provision of our Services.

Most internet browsers accept cookies by default. You can block cookies by activating the setting on your browser that allows you to reject all or some cookies. The help and support area on your internet browser should have instructions on how to block or delete cookies. Some web browsers (including some mobile web browsers) provide settings that allow you to control or reject cookies or to alert you to when a cookie is placed on your computer, tablet or mobile device. Our Services are not currently designed to recognize if your browser sends a “do not track” signal or similar mechanism to indicate you do not wish to be tracked or receive interest-based ads.

For more information, visit the help page for your web browser or see http://www.allaboutcookies.org or visit www.youronlinechoices.com which has further information about the use of cookies and online privacy.

Return to top

Data retention

We retain your information for as long as permitted under our contracts with your healthcare providers or as needed to comply with our legal obligations, to resolve disputes, and to enforce our legal rights, policies, terms and agreements.

Return to top

Security of information

We use technical, administrative, and physical safeguards designed to protect the security of your information from unauthorized disclosure. However, security cannot be guaranteed against all threats.

Return to top

Electronic communications

In connection with your accounts created through your use of the Services, athenahealth may need to send business, informational, support and security related messages (whether texts, alerts or calls) to all telephone numbers, including cellular numbers or mobile devices, you choose to provide on your accounts. You agree such texts or calls may be pre-recorded messages or placed with an automatic telephone dialing system. In addition, you agree that athenahealth may send service or account related text messages to cellular phone numbers you provide to athenahealth, and you agree to accept and pay all carrier message and data rates that apply to such text messages.

If you choose to provide an e-mail or other electronic address on your account, you acknowledge and consent to receive business and informational messages relating to your account at the address, and you represent and warrant that such address is your correct address and is not accessible or viewable by any other person.

Return to top

Third Party Platforms

The Services may include links to or information about websites, applications, products, services, and solutions that are operated by third parties “Third-Party Platforms”). We do not control and are not responsible for Third Party Platforms or any information you may share with, or access from, any Third-Party Platforms.

Return to top

Changes to our Privacy Policy

We reserve the right to amend this Policy, including but not limited to the California Privacy Rights Notice above, at our discretion and at any time. When we make changes to this Policy, we will post the updated Policy on the website and update the Policy's effective date. Your continued use of our website following the posting of changes constitutes your acknowledgment of such changes.

Return to top

Contact information

You may contact us by:

Return to top

How to send us your feedback

Our goal is to respect your privacy and we encourage user feedback to help us improve our privacy policies. If you have any questions or suggestions about this privacy statement or our processing of your personal information, please contact us at the methods listed above.

LAST UPDATED: TBD