Last Updated: June 2023
Health Insurance Portability and Accountability Act of 1996 (HIPAA) & State Law
Note that PHI is generally exempt from the requirements of the California Consumer Privacy Act and similar U.S. state consumer privacy laws.
Datavant as a Service Provider
Personal Information We Collect and How We Use It
- “Personal Information” is information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with you or your household. Datavant collects Personal Information from you when you send us emails or otherwise voluntarily submit your information to us. We also collect your Personal Information through our use of data collection technologies and from marketing partners, recruiting partners, and background check or Disclosure and Barring Service providers.
Depending on how you use the Services, we may collect the following categories of Personal Information about you:
- Identifiers, such as your name, mailing address, email address, phone number, and account numbers. Typically, we collect this information directly from you to contact you regarding administrative notices, your use of the Services, or in connection with your interactions with us, such as through an employment application.
- Internet and other Electronic Activity Information, such as your browsing history and browser preferences. Typically, we collect this information through cookies and other data collection technologies to under how you use our website.
- Commercial Information, such as your financial and payment information, including credit card and payment card information. Typically, we collect this information directly from you to process payments you request or otherwise adjust your account.
If you are a job applicant, we may also collect the following Personal Information about you:
- Records about you, such as your signature and identity verification information.
- Protected class and demographic information, such as your age, military or veteran status, gender, and background check information relating to your criminal history, if any.
- Professional or employment-related information, such as the contents of your resume, employment history, and references.
In addition to the purpose of collection described above, we may also collect Personal Information generally for the following reasons:
- For the purpose for which you provided it.
- To maintain and service your account.
- To administer and improve our website.
- To evaluate your job application and ensure equal opportunities in our application process (if you’ve applied for a job).
- To aggregate with other users’ Personal Information to better understand the services being provided, how to improve these services and how to improve the Services
- To communicate with you and respond to inquiries you send to us.
- To promote our products and services to you.
- To comply with legal, regulatory and risk management obligations.
Some of the information we collect may be considered Sensitive Personal Information, such as your and financial account information. We use and disclose your Sensitive Personal Information only for the following limited business purposes: (i) performing services an average person would expect; (ii) detecting security incidents; (iii) addressing malicious, deceptive, or illegal actions; (iv) ensuring the physical safety of individuals; (v) for short-term, transient use; (vi) performing or providing internal business services; and (vii) verifying or maintaining the quality or safety of a service or device.
How We Disclose the Information We Collect
We disclose your Personal Information in the following ways:
- In Connection with a Legal Right or Obligation. We may investigate and disclose information from or about you if we have a good faith belief that such investigation or disclosure is (a) reasonably necessary to comply with legal process and law enforcement instructions and orders, such as a search warrant, subpoena, statute, judicial proceeding, or other legal process served on us; (b) helpful to prevent, investigate, or identify possible wrongdoing in connection with the Services; or (c) protect our rights, reputation, property, or that of our users, affiliates, or the public.
- With individuals to whom you direct us, such as your employer, colleagues, or references (such as in the case of a job application).
Datavant may use or disclose deidentified information so long as the entities to who Datavant discloses deidentified data are prohibited from re-identifying or attempting to re-identify data.
Cookies and Data Collection Technologies
- How We Respond to Do Not Track Signals. Some web browsers incorporate a “Do Not Track” (“DNT”) or similar feature that signals to websites that a user does not want to have his or her online activity and behavior tracked. If a website that responds to a particular DNT signal receives the DNT signal, the browser can block that website from collecting certain information about the browser’s user. Not all browsers offer a DNT option and DNT signals are not yet uniform. For this reason, many digital service operators, including Datavant, do not recognize or respond to DNT signals.
Most web browsers can be set to inform you when a cookie has been sent to you and provide you with the opportunity to refuse that cookie. Refusing a cookie will generally not interfere with your use of our online Services. However, refusal of a cookie may, in some cases, preclude you from using or negatively impact the display, feature, or function of our online Services.
Our Data Retention Practices
We retain your Personal Information for only as long as we need it to provide our products and services, operate our business, and comply with our legal obligations. When we decide how long to keep your Personal Information, we keep in mind the nature and sensitivity of the information, the potential harm from unauthorized use, the reasons we collected the Personal Information, and our legal obligations.
How We Protect Your Information
Communications between your browser and portions of the online Services containing Personal Information are protected with Secure Socket Layer (“SSL”) encryption. This encryption is to help protect your information while it is being transmitted. Once we receive your information, we strive to maintain the physical and electronic security of your Personal Information using commercially reasonable efforts.
NO DATA TRANSMISSION OVER THE INTERNET OR ANY WIRELESS NETWORK CAN BE GUARANTEED TO BE PERFECTLY SECURED. AS A RESULT, WHILE WE STRIVE TO PROTECT YOUR PERSONAL INFORMATION USING COMMERCIALLY AVAILABLE AND INDUSTRY STANDARD ENCRYPTION TECHNOLOGY, WE CANNOT ENSURE OR GUARANTEE THE SECURITY OF ANY INFORMATION YOU TRANSMIT TO US, AND YOU DO SO AT YOUR OWN RISK.
In the Event of a Security Breach of Your Personal Information
If we determine that your Personal Information has or may reasonably have been disclosed due to a security breach of our systems, we will notify you in accordance with and to the extent required by applicable state and federal law using the information that we have on file.
Disclosures for California Residents
California residents are entitled to the following disclosures about our data processing:
- In the preceding 12 months, Datavant has collected the categories of Personal Information detailed in the PERSONAL INFORMATION WE COLLECT AND HOW WE USE IT section above. The purposes for which Datavant has collected Personal Information and the sources of that information are also described above.
- During the past 12 months, we have generally disclosed your personal information as follows:
|Category of Personal Information||To whom we’ve disclosed for a business purpose|
|Records about you||Service providers|
|Commercial information||Service providers|
|Internet or other electronic network activity information||Service providers|
|Protected class and demographic information||Service providers|
|Professional or employment-related information||Service providers|
|Sensitive information||Service providers|
- We do not disclose your Personal Information to third parties for commercial purposes. We do not sell your Personal Information, and we do not share information with third parties for cross-context behavioral advertising (including the Personal Information of individuals under 16 years old).
Shine the Light – Third Party Marketing:
In addition to the disclosures above, you have additional rights as explained in more detail below.
Depending on where you live, you may be entitled to the following privacy rights:
- The right to know. You have the right to request to know the categories and specific pieces of Personal Information we have collected about you; the categories of sources from which that Personal Information was collected; and how we have sold, shared, or otherwise disclosed your Personal Information.
- Right to correct. You may have the right to request that we correct inaccurate personal information that we maintain about you.
- The right to deletion. You have the right to request that we delete the Personal Information that we have collected or maintain about you. We may deny your request under certain circumstances, such as if we need to comply with our legal obligations or complete a transaction for which your Personal Information was collected. If we deny your request for deletion, we will let you know the reason why.
You may exercise your right to know, right to correct, and your right to deletion twice a year free of charge. To exercise your right to know or your right to deletion, contact us via our C3 phone number at 844-882-3809 or visit our C3 website at www.cioxcomplianceconnection.com.
If you choose to exercise any of these rights, we will not discriminate against you in any way. If you exercise certain rights, understand that you may be unable to use or access certain features of our services.
Datavant will take steps to verify your identity before processing your request to know or request to delete. We will not fulfill your request unless you have provided sufficient information for us to reasonably verify you are the individual about whom we collected Personal Information. If you have an account with us, we will use our existing account authentication practices to verify your identity. If you do not have an account with us, we may request additional information about you to verify your identity. We will only use the Personal Information provided in the verification process to verify your identity or authority to make a request and to track and document request responses, unless you initially provided the information for another purpose.
You may use an authorized agent to submit a request to know or a request to delete. When we verify your agent’s request, we may verify both your and your agent’s identity and request a signed document from you that authorizes your agent to make the request on your behalf. To protect your Personal Information, we reserve the right to deny a request from an agent that does not submit proof that they have been authorized by you to act on their behalf.
Certain laws may give you a right to appeal any denials of your request to exercise your rights. If we deny your request and you would like to submit an appeal, please contact us at 844-882-3809.
Third Party Practices
Changes to Our Policy
44 Montgomery Street
San Francisco, CA 94104
or visit our C3 website at www.cioxcomplianceconnection.com.