Privacy Policy Last Reviewed December 18th, 2020

For Privacy Policy Effective Prior to January 1, 2020, please click here.

PRIVACY POLICY FOR “LOGIN WITH ATHENAHEALTH” USER ACCOUNTS
(LWA USER PRIVACY POLICY)

Please read the following terms carefully as they relate to LOGIN WITH ATHENAHEALTH. If you do not wish to create a LOGIN WITH ATHENAHEALTH account, but still wish to access the Patient Portal, please contact athenahealth to obtain credentials that can be used to only access the Patient Portal at: athenaIdentityAccount@athenahealth.com. So that we can locate your account, in the body of the email, please provide your full name, date of birth, practice name of the portal you wish to access and your state of residence. This information will be used only for purposes of identification and to facilitate your request.

WHO WE ARE

We, athenahealth, Inc. and our subsidiaries and affiliates “athenahealth”, "we", "us"), service providers and health systems throughout the United States to help deliver better care for all. We offer integrated health care solutions for our clients, including medical groups, practices, hospitals, health systems, and for physicians, specialists, staff and patients. We also offer a single sign on service "LOGIN WITH ATHENAHEALTH",("LWA") to make it easier for users to access various products and services offered separately by athenahealth as well as those of our clients and other third parties. We refer to all of our websites, applications, products, services, and solutions collectively as our "Services."

SCOPE AND PURPOSE:

This LWA User Privacy Policy focuses on information we collect in connection with your registration for an account with LWA and maintenance of that LWA account and any related LWA user profile. Our LWA Terms of Use also apply to your LWA account. Additional specific privacy policies, terms and agreements may also apply to any particular Services you use, whether through your LWA account or otherwise, including policies, terms and agreements for: our main website www.athenahealth.com; our athenahealth platforms (e.g., athenaCollector, athenaClinicals, athenaCommunicator, athenaCoordinator, athenaNet etc.); our athenahealth product offerings (e.g., athenaText or Epocrates®); our athenahealth Patient Portal; and any of our other websites, products, services, solutions or applications. If you use LWA to access or share data with any websites, applications, platforms, services, solutions or portals of any third parties (including any patient portals offered by any healthcare provider(s)) (each, a "Third Party Platform"), ”), the privacy policies, terms and agreements of such Third Party Platforms will apply to your use of such Third Party Platform. We do not control and are not responsible for Third Party Platforms or any information you may share with, or access from, any Third Party Platforms, whether using LWA or otherwise.

LWA is not intended for use by anyone outside of the United States.

Any unauthorized registration for, access or use of LWA, our Services, client accounts or Third Party Platforms is strictly prohibited.

COLLECTION OF INFORMATION

We may collect the following types of information in connection with your LWA account:

In addition, we may collect other information as permitted under applicable law and any applicable contracts with our clients.

USE OF INFORMATION

We may use information collected in connection with your LWA account to:

In addition, we may use information in other ways as permitted under applicable law and any applicable contracts with our clients.

SHARING OF INFORMATION

We may share information regarding your LWA account:

We may also share information regarding your LWA account:

In addition, we may share information as permitted under applicable law and any applicable contracts with our clients.

COOKIES

We use cookies to authenticate users, block malicious use of login credentials and shield unauthorized access to LWA and our Services. We also developed and use cookies to collect information on LWA and our Services in order to understand and improve LWA and our Services. These cookies also help us learn how well LWA and our Services operate across different locations and identify any issues in the operation and provision of LWA or our Services.

Third-Party Cookies

We also permit the setting of third-party cookies on LWA. These assist us in measuring and understanding how our products are used and how they can be optimized. We may also receive other analytics information from these third parties.

Most internet browsers accept cookies by default. You can block cookies by activating the setting on your browser that allows you to reject all or some cookies. The help and support area on your internet browser should have instructions on how to block or delete cookies. Some web browsers (including some mobile web browsers) provide settings that allow you to control or reject cookies or to alert you to when a cookie is placed on your computer, tablet or mobile device. Your LWA account also may not recognize if your browser sends a “do not track” signal or similar mechanism to indicate you do not wish to be tracked or receive interest-based ads.

For more information, visit the help page for your web browser or see http://www.allaboutcookies.org or visit www.youronlinechoices.com which has further information about behavioral advertising and online privacy.

DATA RETENTION

To the extent permitted by applicable law and any applicable client agreements (if any are applicable), we may retain your information for as long as needed to comply with our legal obligations (including to you, to our clients or to any third parties), to resolve disputes, to enforce our legal rights, policies, terms and agreements, for analytic purposes, to share information with you, or authorize our customers and partners to share information with you, about relevant services or products we think may be of interest or benefit to you, for security purposes, or for as long as is reasonably necessary for other lawful purposes.

SECURITY OF INFORMATION

Security is of the utmost importance for athenahealth. athenahealth uses technical and physical safeguards to protect the security of your information from unauthorized disclosure. However, security cannot be guaranteed against all threats.

You may not assign or transfer your LWA account or share your LWA login, password or any other credentials with any other person without our consent. Please notify us immediately if you believe the security of your LWA account may have been compromised.

ACCESSING AND UPDATING YOUR INFORMATION

NOTICE REGARDING CHILDREN AND MINORS UNDER 16

athenahealth recognizes the importance of protecting the privacy and safety of children. LWA accounts are not intended for users under the age of sixteen (16) years old, and such users are not authorized to have LWA accounts. If you believe we have collected data from a user under sixteen (16) years old without the consent of their parent or legal guardian, please let us know immediately by contacting us as indicated below and provide sufficient information so we can act appropriately on your request.

TELEPHONE CONSUMER PROTECTION ACT (TCPA) NOTICE

In connection with your LWA account, athenahealth may need to send business, informational, support and security related messages (whether texts, alerts or calls) to all telephone numbers, including cellular numbers or mobile devices, you choose to provide on your LWA account. You agree such texts or calls may be pre-recorded messages or placed with an automatic telephone dialing system. In addition, you agree that athenahealth may send service or account related text messages to cellular phone numbers you provide to athenahealth, and you agree to accept and pay all carrier message and data rates that apply to such text messages. If you choose to provide an e-mail or other electronic address on your LWA account, you acknowledge and consent to receive business and informational messages relating to your LWA account at the address, and you represent and warrant that such address is your correct address and is not accessible or viewable by any other person.

DISPUTES

Unless otherwise required by applicable law, or otherwise specified in other athenahealth terms applicable to the specific Services you are accessing or using through your LWA account (and then only to the extent that the dispute relates solely to such specific Services), you agree that all provisions regarding disputes set forth in our LWA Terms of Use also apply to any disputes related to this LWA User Privacy Policy, including without limitation, choice of law, forum, service of process, mediation or arbitration, waiver of rights to trial by jury and agreement not to assert any claims in a consolidated or class action.

QUESTIONS/UPDATES TO THIS LWA USER PRIVACY POLICY

This LWA User Privacy Policy may change from time to time. Your registration or maintenance of your LWA account or any related LWA user profile after we make changes is deemed to be acceptance of those changes. Please check periodically for updates.
To the extent required by applicable law, athenahealth will also attempt to notify you when we make material changes to this LWA User Privacy Policy.

CONTACT

If you have any questions about this LWA User Privacy Policy or any other aspects of your privacy with respect to athenahealth (including our processing of your personal information), please contact us at: athenahealth, Inc., Attn: Chief Compliance Officer, 311 Arsenal Street, Watertown, MA 02472.

CALIFORNIA PRIVACY RIGHTS NOTICE

Effective Date: January 1st, 2020

This Privacy Notice for California Residents supplements the information contained in above included Privacy Policy and applies solely to all visitors, users, and others who reside in the State of California ("consumers" or "you"). We adopt this notice to comply with the California Consumer Privacy Act of 2018 (CCPA) and any terms defined in the CCPA have the same meaning when used in this Notice.

Where noted in this Notice, the CCPA temporarily exempts personal information reflecting a written or verbal business-to-business communication ("B2B personal information") from some its requirements.

Information We Collect

We collect information that identifies, relates to, describes, references, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer, household, or device ("personal information"). Personal information does not include:

In particular, we have collected the following categories of personal information from consumers within the last twelve (12) months:

Category Examples Collected
A. Identifiers. A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver's license number, passport number, or other similar identifiers. YES
B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)). A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.

Some personal information included in this category may overlap with other categories.
YES
C. Protected classification characteristics under California or federal law. Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information). YES
D. Commercial information. Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies. YES
E. Biometric information. Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data. YES
F. Internet or other similar network activity. Browsing history, search history, information on a consumer's interaction with a website, application, or advertisement. YES
F. Internet or other similar network activity. Browsing history, search history, information on a consumer's interaction with a website, application, or advertisement. YES
G. Geolocation data. Physical location or movements. YES
H. Sensory data. Audio, electronic, visual, thermal, olfactory, or similar information. NO
I. Professional or employment-related information. Current or past job history or performance evaluations. NO
J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)). Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records. NO
K. Inferences drawn from other personal information. Profile reflecting a person's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. YES

We obtain the categories of personal information listed above either directly from you (e.g., from your use of the Services) or indirectly from you (e.g., observing your actions on our website), as further described above.

Use of Personal Information

We may use, or disclose the personal information we collect for one or more of the following purposes:

We will not collect additional categories of personal information or use the personal information we collected for materially different, unrelated, or incompatible purposes without providing you notice.

Sharing Personal Information

We share your personal information with the following categories of third parties:

Disclosures of Personal Information for a Business Purpose

In the preceding twelve (12) months, we have disclosed the following categories of personal information for a business purpose:

We disclose your personal information for a business purpose to the following categories of third parties:

Your Rights and Choices

The CCPA provides consumers (California residents) with specific rights regarding their personal information. This section describes your CCPA rights and explains how to exercise those rights.

Access to Specific Information and Data Portability Rights

You have the right to request that we disclose certain information to you about our collection and use of your personal information over the past 12 months. Once we receive and confirm your verifiable consumer request (see Exercising Access, Data Portability, and Deletion Rights), we will disclose to you:

Deletion Request Rights

You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request (see Exercising Access, Data Portability, and Deletion Rights), we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies.

We may deny your deletion request if retaining the information is necessary for us or our service provider(s) to:

Exercising Access, Data Portability, and Deletion Rights

To exercise the access, data portability, and deletion rights described above, please submit a verifiable consumer request to us by either:

Only you, or someone legally authorized to act on your behalf, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child. To designate an authorized agent, please call the phone number referenced above.

You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:

For Access, Data Portability, or Deletion Requests, we cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. Making a verifiable consumer request does not require you to create an account with us. We will only use personal information provided in a verifiable consumer request to verify the requestor's identity or authority to make the request.

Response Timing and Format

We endeavor to respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time, we will inform you of the reason and extension period in writing.

Any disclosures we provide will cover the 12-month period preceding the verifiable consumer request's receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable.

Non-Discrimination

We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not:

Other California Privacy Rights

California's "Shine the Light" law (Civil Code Section § 1798.83) permits users of LWA that are California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. To make such a request, please send an email to consumerprivacyrequests@athenahealth.com or write us at: Attn: Chief Compliance Officer, athenahealth, Inc., Watertown, MA 02472.

Changes to Our Privacy Notice

We reserve the right to amend this privacy notice at our discretion and at any time. When we make changes to this privacy notice, we will post the updated notice on the website and update the notice's effective date. Your continued use of our website following the posting of changes constitutes your acceptance of such changes.

Contact Information

9. How to send us your feedback

Our goal is to respect your privacy and we encourage user feedback to help us improve our privacy policies. If you have any questions or suggestions about this privacy statement or our processing of your personal information, please contact us at: consumerprivacyrequests@athenahealth.com.

LAST UPDATED: January 1, 2019