Effective: August 24, 2023
California Privacy Rights
These California Privacy Rights supplement the information contained in the Privacy Policy for MedRisk and applies to certain residents of the State of California. The terms used in this Privacy Notice have the same meaning as the terms defined in the California Consumer Privacy Act (“CCPA”).
A Note About MedRisk as a Service Provider
This California Privacy Rights Notice for California residents applies to information that we collect in our capacity as a “business” under the CCPA, i.e., when we collect information on our own behalf. If you interact with MedRisk based on your relationship to one of our clients (e.g., your employer or insurance carrier), you should review such client’s privacy policy and send any questions or communications relating thereto directly to such client (including, without limitation, if you wish to exercise any rights available to you under the CCPA). We assume no responsibility to you or any other third party with respect to any obligations of our clients under the CCPA. If you are not certain whether we are acting as a service provider in your particular circumstance, please contact us using the contact information provided in this Privacy Notice.
What Personal Information We Collect and Disclose
In accordance with the CCPA, personal information is information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information does not include information outside the scope of the CCPA such as:
- Health or medical information covered by the Health Insurance Portability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA);
- Personal Information covered by the Gramm-Leach-Bliley Act (GLBA), the Fair Credit Reporting Act (FCRA), the California Financial Information Privacy Act (FIPA), and the Driver’s Privacy Protection Act of 1994;
- Publicly available information or lawfully obtained, truthful information that is a matter of public concern;
- Publicly available information that is lawfully made available to the general public from federal, state, or local government records; and
- De-identified or aggregated consumer information.
The CCPA requires us to tell you what categories of personal information we sell, share or disclose. We do not sell and will not sell your personal information as that term is commonly understood. We also do not sell and will not sell your personal information, including the personal information of persons under 16 years of age, as that term is defined by the CCPA. When it is necessary for a business purpose, we may disclose your personal information to a customer, service provider or contractor, and we enter into a contract with the customer, service provider or contractor that limits how the information may be used and requires the customer or service provider to protect the confidentiality of the information.
We may also transfer to a third party the personal information of a person as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the MedRisk business.
Please see the chart below to learn what categories of personal information we may have collected about California consumers within the preceding twelve months, the sources of and business purposes for that collection and the third parties, as that term is defined in the CCPA, to whom the information has been disclosed, if any.
| Category | Examples | Sources | Business Purpose for Collection | Third Parties to Whom Information is Disclosed |
|---|---|---|---|---|
| Identifiers | Real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, or other similar identifiers, social security number, passport number and driver’s license number. | Claimant, employee, employer, attorneys, medical providers, public records, insurance brokers and agents. | Providing products or services. Responding to and administering insurance claims. Fulfilling obligations as an employer. Performance of a contract. Compliance with state and federal laws. | Medical providers, employers, attorneys, regulators and government authorities, insurance companies, third party administrators, service providers, subsidiaries and affiliates. |
| Personal information described in California Customer Records statute (Cal. Civ. Code § 1798.80(e)) | Name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, financial information, insurance policy number, education, employment, employment history, medical and health information, and health insurance information. | Claimant, employee, employer, medical providers, public records, attorneys, insurance companies, third party administrators. | Providing products or services, responding to and administering insurance claims. Fulfilling obligations as an employer. Compliance with state and federal laws. | Medical providers, employer, attorneys, regulators and government authorities, insurance companies, third party administrators, service providers, subsidiaries and affiliates. |
| Characteristics of protected classifications under California or federal law. | Age (40 years or older), race, color, ancestry, national origin, citizenship, religions or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, or genetic information (including familial genetic information). | Claimant, employee, employer, medical providers, public records, insurance companies and agents. | Providing products or services, responding to and administering insurance claims. Fulfilling obligations as an employer. Compliance with state and federal laws. | Medical providers, employer, attorneys, regulators and government authorities, insurance companies, third party administrators, service providers, subsidiaries and affiliates. |
| Internet or other electronic network activity | Browsing history, search history, information about a consumer’s interaction with a website, application, or advertisement. | Claimant, employee | Fulfilling obligations as an employer and service provider. | N/A |
| Sensory data | Audio, electronic, visual, thermal, olfactory, or similar information | Claimant, medical providers. | Fulfilling obligations as an employer and service provider. | Medical providers, employer, insurance companies, third party administrators, service providers, subsidiaries and affiliates. |
| Professional or employment related information | Current or past employment history, performance evaluations, disciplinary records, investigations, awards, earnings, compensation and payroll records, benefit records, employment application, resume, background checks, contracts and agreements or termination records, leave documentation, medical records or workers compensation records. | Claimant, employee, employer, public records. | Fulfilling obligations as an employer and service provider. Compliance with state and federal law. | Medical providers, employer, regulators and government authorities, Insurance companies, reinsurers, service providers. |
| Nonpublic Education information (FERPA) | Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class list, student schedules, student identification codes, student financial information, or student disciplinary records. | Claimant, employee, employer, public records. | Fulfilling obligations as an employer and service provider. | N/A |
| Inferences from other personal information to create a profile of a person | A person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities and aptitudes. | Claimant, Medical providers | Fulfilling obligations as an employer and service provider. | Medical and service providers |
Our Retention of Personal Information
The length of time that we retain personal information largely depends upon the purpose for which the information was collected rather than the category of the information as set forth in this Notice. When establishing retention periods, we consider applicable statutes
of limitation and legal and regulatory requirements and guidelines. Personal information is generally retained for periods of time that permit the company to meet its legal and regulatory obligations.
Your Rights and Choices
The CCPA provides California residents with certain rights regarding their personal information. This chart describes those rights and certain limitations to those rights.
| Right | What This Means |
|---|---|
| Notice | At or before the time your personal information is collected, you will be given or be able to access information regarding the categories of personal information to be collected, the purposes for which the categories of personal information will be used and whether that information is sold or shared. |
| Access | At your verifiable request, but no more than twice in a twelve month period, we shall disclose to you: (1) the categories of personal information we have collected about you, (2) the categories of sources for the personal information we collected about you, (3) our business or commercial purpose for collecting, selling or sharing your personal information, (4) the categories of third parties to whom we disclose your personal information, (5) the specific pieces of information we have collected about you, (6) the categories of personal information disclosed about you for a business purpose and the categories of persons to whom your personal information was disclosed for a business purpose, and (7) if we sold or shared personal information, the categories of personal information sold or shared and the categories of third parties to whom it was sold or shared. |
| Deletion | You have the right to request that we delete any of your personal information that we collected from you, subject to certain exceptions. Once we receive and verify your request, we will delete (and direct our service providers and contractors to delete) your personal information from our records unless an exception applies. We may deny your request if retention of the information is necessary for us or our service providers to: • Complete the transaction for which we collected the personal information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you. • Help to ensure security and integrity to the extent the use of your personal information is reasonably necessary and proportionate to that purpose. Debug to identify and repair errors that impair existing intended functionality. • Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law. • Comply with the California Electronic Communications Privacy Act (Cal. Penal Code §1546 et seq.) • Engage in public or peer reviewed scientific, historical, or statistical research that conforms or adheres to all other applicable ethics and privacy laws, when the information’s deletion is likely to render impossible or seriously impair the research’s completion, if you previously provided informed consent. • Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us and compatible with the context in which you provided the information. • Comply with a legal obligation. • Or if it is the type of personal information that falls outside the scope of the CCPA, (HIPAA, CIMA, GLBA, or publicly available information). Given the type of information that we collect and the purposes for which we collect it, in many instances we may not be able to delete your personal information because without that information we would be unable to provide the insurance services that we are obligated to provide to you. Each request to delete will be considered on an individual basis. |
| Correct | You have the right to request that we correct inaccurate personal information about you, taking into account the nature of the personal information and the purposes of the processing of the personal information. After we receive and verify your request, we will use commercially reasonable efforts to correct the inaccurate personal information as directed by you. |
| Opt-Out of Sale or Sharing | With some limitations, you may direct a business that sells or shares personal information to third parties not to sell or share the personal information to these third parties. |
| Opt-In to Sale or Sharing | A business may not sell or share the personal information of persons less than sixteen years of age without their affirmative consent, and in the case of those less than thirteen years of age, the consent must come from a parent. |
| Limit Use of Sensitive Personal Information | You may direct a business to limit the use of your sensitive personal information to that use which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services and certain other limited uses as described in the CCPA and applicable regulations. |
| Non-Discrimination | We will not discriminate against you for exercising your rights under the CCPA. Unless otherwise permitted by the CCPA we will not: • Deny you goods or Service. • Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties. • Provide a different level or quality of goods or services. • Suggest that you will receive a different price or rate for goods or services or a different level or quality of goods or services. Retaliate against you as an employee, applicant for employment or independent contractor for exercising your rights under the CCPA. |
To Exercise Your Rights
To Opt-out of the Sale or Sharing of Your Personal Information
The CCPA gives consumers the right to direct a business that sells or shares personal information about the consumer to third parties not to sell or share the consumer’s personal information. We do not sell and will not sell your personal information as that term is commonly understood. We also do not sell and will not sell your personal information, as that term is defined by the CCPA. We do not share your personal information as that term is defined in the CCPA.
To Limit the Use of Sensitive Personal Information
The CCPA gives consumers the right to direct a business to limit the use of the consumer’s sensitive personal information to that use which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services and certain other limited uses as described in the CCPA and applicable regulations. We do not use or disclose sensitive personal information for purposes other than those purposes specified in Section 7027, subsection (m) of the California Consumer Privacy Act Regulations. If we begin using or disclosing your sensitive personal information outside of those purposes, then we will provide you with the option to limit our use or disclosure through a clear and conspicuous link on our internet homepage.
To Request Access to or Correction or Deletion of Your Personal Information
To exercise your access, correction or deletion rights described above, please submit a verifiable consumer request to us by either: Calling us at 877-404-3695 or emailing us at ccpa@medrisknet.com.
Only you or your representative that you authorize to act on your behalf (Authorized Agent) can make a verifiable consumer request for your personal information. You may also make a request for your minor child. The verifiable request must provide enough information that allows us to reasonably verify you are the person about whom we collected personal information. We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and to confirm the personal information relates to you.
We use several layers of authentication in order to verify your identity and safeguard access to your personal information. We will request that you respond to a text message from our representative. We will also request that you provide certain information such as your first and last name, your address and your birthdate and respond to other questions designed to authenticate your identity. If we are unable to verify your identity, we may require additional authentication or your request may be rejected.
We work to respond to a verifiable consumer request within 45 days of its receipt. If we require additional time, we will inform you of the extension period (up to an additional 45 days), and the reason for the extension in writing. We will deliver our response by mail or electronically, depending on your preference. The response we provide will also explain any reasons why we cannot comply with a request.
You may only make a consumer request for access twice within a twelve-month period. Any disclosures we provide will apply to the twelve-month period preceding the receipt of the consumer request.
