Privacy Notices

General Privacy Policy

California Consumer Privacy Notice

Notice at Collection for California Employees

CareXM Footer Logo privacy notices

Privacy Policy – CareXM

Revised February 05th, 2022

Document Approval Table

Date Last ReviewedNext Review DateCurrent Revision
12-27-202212-27-2023C

Table of Contents

  1. PRIVACY POLICY …………………………………………………………………………………………………………. 4
    • Privacy Policy ………………………………………………………………………………………………………………………. 4
    • HOW AND WHY, WE COLLECT DATA, HOW WE USE THE DATA WE COLLECT ……………………… 5
    • RESPONSIBILITY TO PROVIDE RECORDS AND COMPLIANCE REPORTS §§ 160.310 …………….. 8
    • REFRAINING FROM INTIMIDATION OR RETALIATION §§ 160.316 ……………………………………….. 8
    • SECURITY STANDARDS §§ 164.306 ……………………………………………………………………………………… 9
    • ADMINISTRATIVE SAFEGUARDS §§ 164.308………………………………………………………………………… 10
    • PHYSICAL SAFEGUARDS §§ 164.310……………………………………………………………………………………. 11
    • TECHNICAL SAFEGUARDS §§ 164.312…………………………………………………………………………………. 12
    • BREACH NOTIFICATION RULE §§ 164.402 ………………………………………………………………………….. 14
    • A BREACH EXCLUDES §§ 164.402(1) …………………………………………………………………………………… 14
    • NOTIFICATION TO INDIVIDUALS §§ 164.404 & §§ 164.410………………………………………………….. 15
    • BUSINESS ASSOCIATES: PERMITTED USES AND DISCLOSURE §§ 164.502(A)(3)…………………… 16
    • BUSINESS ASSOCIATES: REQUIRED USE AND DISCLOSURES §§ 164.502(A)(4)…………………….. 17
    • BUSINESS ASSOCIATES: PROHIBITED USES AND DISCLOSURE §§ 164.502(5) …………………….. 17
    • SALE OF PHI §§ 164.502(A)(5)(II)(A) …………………………………………………………………………………….. 18
    • MINIMUM NECESSARY USE OR DISCLOSURE §§ 164.502(B) ………………………………………………. 19
    • MINIMUM NECESSARY DOES NOT APPLY §§ 164.502(B)(2) ……………………………………………….. 19
    • USE AND DISCLOSURES OF DE-IDENTIFIED PHI §§ 164.502(D)(1) ………………………………………. 20
    • USE AND DISCLOSURE WHERE AUTHORIZATION IS NOT REQUIRED §§ 164.512 ………………. 20
    • IDENTIFYING PHI §§ 164.514(A)(2)(I) ………………………………………………………………………………….. 22
    • ACCESS OF INDIVIDUALS TO PHI §§ 164.524 …………………………………………………………………….. 23
    • RIGHT TO AMEND PHI §§ 164.526……………………………………………………………………………………… 24
    • RIGHT TO ACCESS AND ACCOUNTINGS OF DISCLOSURES §§ 164.528 ……………………………… 24
  2. DOCUMENT REVISION HISTORY ………………………………………………………………………………… 25

I. Privacy Policy

Privacy Policy Objective

Controls exist to provide reasonable assurance that critical or sensitive personal data is secured and that only authorized access is permitted. This policy provides guidance for CareXM personnel on how to identify and protect Protected Health Information (PHI)

Scope

At CareXM the security and compliance board will be responsible for providing confidentiality of protected health information in all its forms. This is to ensure the continued confidentiality of data and programs to all authorized workforce members.

Guidelines

The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”)1 was enacted to improve the portability of health coverage. The HIPAA Privacy Rule addresses the use and disclosure of an individuals’ health information, called “protected health information” (“PHI”) and applies to RAs.

The principal laws relating to medical privacy include

  • the standards for Privacy of Individually Identifiable Health Information (the Privacy Rule)2 implementing HIPAA

1 HIPAA Final Privacy Rule, 45 C.F.R. 164.500
2 HIPAA Final Privacy Rule, 45 C.F.R. Parts 160 and 164.

4

  • The Health Information Technology for Economic and Clinical Health (HITECH) Act which modified the Privacy Rule adding provisions to strengthen civil and criminal enforcement and to require breach notification3 With the HITECH update HIPAA privacy and security rules are codified and apply directly to Business Associates4
  • The final omnibus rule issued by the U.S. Department of Health and Human Services (HHS) which strengthened the Privacy Rule
  • The Genetic Information Nondiscrimination Act of 2008 (GINA) which provides that genetic information is protected under the Privacy Rule5

HIPAA covered entities (“CEs”) and business associates (“BAs”) are required to adhere to HIPAA privacy standards. CEs include healthcare providers, health plans, and healthcare clearinghouses. Because CareXM processes PHI and/or performs services and activities for, or on behalf of, a CE, CareXM is considered a Business Associate. When a CE engages another entity to provide the activities and services described above, the HIPAA Privacy Rule requires that the CE enter into a business associate agreement (“BAA”) with that entity. See Exhibit C for definitions pertaining to the protection of medical information privacy.

How and Why, We Collect Data, How We Use the Data We Collect

  • What information we collect
    • Information We Collect Automatically. If you use our websites, read, or download information, your web or mobile browser may automatically send us your internet or other network activity including one or more of the following (collectively, “Network Information”):
      • Your internet protocol (IP) address, registration date, and one or more cookies that may uniquely identify your browser.
      • Your internet domain and the specific path, actions, and navigation choices.
      • The internet address of the site from which you linked the Sites, and the time and date you accessed the Sites.
      • Your browsing history, search history, information on your interaction with the Sites or other websites and applications or advertisements; and
      • Your browser software, operating system and browser language, and information about your location and mobile device, including a unique identifier for the mobile device

3 Health Information Technology for Economic and Clinical Health (HITECH) Act, title XIII of div. and Title IV of Div. B of American Recovery and Reinvestment Act of 2009 (ARRA) Pub. L. No. 111-5, codified at 42 U.S.C. § 300
4 42 U.S.C. § 17921 (2); 45 C.F.R. § 160.103
5 Pub. L. No. 110-233 122 Stat. 881

5

  • Why We Collect: We collect this information for business and commercial purposes, including to:
    • Maintain or analyze the functioning of the Sites or Services and to maintain network communications.
    • Monitor and analyze web traffic and online behavior for search engine optimization
    • Host data files that enable the Sites to function, be distributed, and to provide specific features or parts of the Sites.
    • To create, maintain, customize, secure, and manage your accounts with us, including for accounting, finance, and dispute resolution purposes (such as accounts receivable, accounts payable, account reconciliation, cash management, or money movement) and for consolidated management and reporting.
    • To personalize your experience on the Sites and to deliver content and Services relevant to your interests and requests through our Sites (with your consent as required by law)
    • Manage security, including monitoring individuals with access to the Sites and Services, applications, systems, or facilities, investigation of threats, and as needed for any data security breach notification
  • Information You Give to Us, and Information We Collect from Covered Entities. If you use our Sites or Services, we receive and store information you enter on our Sites, or that you give us in- person, via telephone, email, or otherwise. When we obtain personal data from our Covered Entity, we will treat the acquired information like the information that we collect ourselves. Depending on the Services we provide to customers and/or the services being provided to us by other third parties, we may collect (and over the previous 12 months have collected) the following information about you from you and/or others:
    • Network Information.
    • Personal information and identifiers, such as name, postal address, email address, telephone numbers, account name, social security number, driver’s license or state identification card number, physical characteristics or description, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information (collectively, “Personal Information and Identifiers”);
    • Protected classification information, such as race, color, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), veteran or military status,
    • Biometric and identifying information, such as fingerprints, faceprints, voiceprints, iris or retina scans, keystroke, gait or other physical patterns, and sleep, health or exercise data, genetic, physiological, behavioral, and biological information, or other similar information (collectively, “Biometric Information”).
    • Sensory data, such as audio, electronic, visual, thermal, olfactory, or similar information (collectively, “Sensory Information”).
    • Geolocation data, such as physical location or movements (collectively, “Geolocation Information”).
    • Professional or employment-related information, such as work history and job descriptions with current and prior employers (collectively, “Employment Information”).
    • Do We Share or Sell Information with Third Parties?
      • No, we do not share information with third parties, nor do we sell your personal information.

Right to File a Complaint §§ 160.306

  • A person who believes that CareXM is not complying with the administrative simplification provision may file a complaint with the HHS Secretary6
    • A complaint must be filed in writing and must name the person that is the subject of the complaint and describe the acts or omissions believed to be in violation7
  • An investigation may include a review of the pertinent policies, procedures, or practices of CareXM and of the circumstances regarding any alleged violation8

6 HIPAA Final Privacy Rule, 45 C.F.R. §§ 160.306(a)

7 HIPAA Final Privacy Rule, 45 C.F.R. §§ 160.306(b)(1 – 3)

8 HIPAA Final Privacy Rule, 45 C.F.R. §§ 160.306(c)(3)

6/7

Responsibility to Provide Records and Compliance Reports §§ 160.310

  • CareXM must keep sufficient records such that if the HHS Secretary makes a request of documentation to confirm that CareXM follows the simplification provisions that CareXM can produce the documentation in a timely manner.9
  • CareXM must cooperate with the HHS Secretary if the Secretary undertakes an investigation or compliance review of CareXM’s policies.10
  • If the HHS Secretary chooses to review CareXM’s compliance to the HIPAA regulation11 CareXM will provide to the HHS Secretary (during normal business hours) access to its facilities, books, records, accounts, and other sources of information including PHI that are pertinent to ascertaining compliance with the applicable simplification provisions.12

Refraining from Intimidation or Retaliation §§ 160.316

  • CareXM may not threaten, intimidate, coerce, harass, discriminate against, or take any other retaliatory action against any individual or other person for –
    • Filing a complaint with Health and Human Services or with the CareXM Privacy Office.13
    • Testifying, assisting, or participating in an investigation compliance review, proceeding, or hearing or
    • Opposing any act or practice made unlawful by the federal regulations provided that the CareXM member has a good faith belief that the practice opposed is unlawful, and the manner of opposition is reasonable and does not involve a disclosure of PHI in violation of this policy14

Security Standards §§ 164.306

  • CareXM must ensure the confidentiality, integrity, and availability of all ePHI that CareXM creates, receives, maintains, or transmits.15
  • CareXM must protect against any reasonably anticipated threats or hazards to the security or integrity of such information.16
  • CareXM must protect against any reasonably anticipated uses or disclosures of sensitive information that are not permitted by this policy17
  • CareXM is permitted to use any security measures that allow the company to reasonably and appropriately implement the standards contained within this policy18
  • In deciding which security measures to use CareXM can consider the following 19
    • The size, complexity, and capabilities of the organization, considering future growth and cybersecurity trends
    • The costs of security measures
    • The probability of potential risks to ePHI
  • If CareXM finds that some of the required or advisable security controls are not reasonable, CareXM must document why it would not be reasonable and appropriate20
  • CareXM must review and modify the security measures implemented on a regular basis to continue provision of reasonable and appropriate protection of ePHI21

9 HIPAA Final Privacy Rule, 45 C.F.R. §§ 160.310(a)
10 HIPAA Final Privacy Rule, 45 C.F.R. §§ 160.310(b)

11 HIPAA Final Privacy Rule, 45 C.F.R. §§ 160.308

12 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.53(c) (1)

13 HIPAA Final Privacy Rule, 45 C.F.R. §§ 160.306(a)

14 HIPAA Final Privacy Rule, 45 C.F.R. §§ 160.306(b) – (c)
15 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.306() (a)(1)
16 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.306() (a)(2)
17 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.306() (a)(3)
18 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.306() (b)(1)
19 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.306() (a)(2)(i)-(iv)

20 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.306() (c)(ii)(1)

8/9

Administrative Safeguards §§ 164.308

  • CareXM must implement policies and procedures to prevent detect, contain, and correct security violations22
  • CareXM must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability or electronic PHI held by CareXM on a regular basis23
  • CareXM must implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level24
  •  CareXM must implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports25
  • CareXM should consider Implementing policies and procedures to ensure that all members of its workforce have appropriate access to ePHI and to prevent those workforce members who do not have access from obtaining access to ePHI26
  • CareXM should consider Implementing procedures for the authorization and/or supervision of workforce members who work with ePHI27
  • CareXM must implement procedures for creating, changing, and safeguarding passwords.28
  • CareXM must Identify and respond to suspected or known security incidents, mitigate, to the extent practicable, harmful effects of security incidents that are known to CareXM29

21 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.306()

22 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.308(1)(i)

23 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.308(ii)(A)

24 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.308(ii)(B)

25 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.308(ii)(D)

26 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.308(3)(i)

27 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.308(ii)(A)

28 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.308(ii)(D)

29 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.308(6)(ii)

10

  • CareXM is required to establish and implement procedures to create and maintain retrievable exact copies of ePHI30
  • CareXM is required to establish and implement as needed procedures to restore any loss of data31
  • CareXM must establish procedures to enable continuation of critical business processes for protection of the security of ePHI while operating in emergency mode32 Physical Safeguards §§ 164.310
  • CareXM must implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.33
  • CareXM shall implement policies and procedures and controls to safeguard the facility and the equipment therein from unauthorized physical access, tampering and theft.34
  • CareXM shall implement procedures to control and validate a person’s access to facilities based on their role or function including visitor control and control of access to software programs for testing and revision35
  • CareXM shall implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (Hardware, walls, doors and locks, windows etc.)36
  • CareXM shall implement policies and procedures with regards to workstation use that specify the proper functions to be performed, the way those functions are to be performed and the physical attributes of the surroundings of a specific workstation or class of workstation that can access ePHI.37

30 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.308(6)(A)
31 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.308(6)(B)
32 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.308(6)(C)
33 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.310(a)(1)
34 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.310(a)(2)(ii)
35 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.310(a)(2)(iii)
36 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.310(a)(2)(iv)
37 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.310(a)(2)(iv)(b)

11

  • CareXM shall implement physical safeguards for all workstations that access ePHI to restrict access to authorized users. 38
  • CareXM is required to address the final disposition of ePHI and/or the hardware or electronic media on which it is stored.39
  • CareXM is required to address the process of removal of ePHI from electronic media before the media is made available for re-use.40
  • CareXM must address maintaining a record of the movements of hardware and electronic media and any person responsible therefore41
  • CareXM must address having a retrievable exact copy of ePHI when needed before movement of equipment.42
  • CareXM must ensure that all media used by workforce members has disc encryption and the ability to wipe the media device if the device is lost or stolen

Technical Safeguards §§ 164.312

  • CareXM must implement processes for electronic information systems that maintain ePHI to allow access only to those persons or software programs that have been granted access rights43
  • CareXM is required to assign a unique name and/or number for identifying and tracking user identity44
  • CareXM is required to establish a process for obtaining necessary ePHI during an emergency45
  • CareXM must address the need to terminate an electronic session after a predetermined time of inactivity46
  • CareXM must address a mechanism to encrypt and decrypt ePHI47
  • CareXM must implement a mechanism to record and examine activity in information systems that contain or use ePHI48
  • CareXM must implement a process to protect ePHI from improper alteration or destruction49
  • CareXM needs to address the need to implement an electronic mechanism to corroborate that ePHI has not been altered or destroyed in an unauthorized manner.50
  • CareXM needs to verify that a person or entity seeking access to ePHI is the one claimed51
  • CareXM must guard against unauthorized access to ePHI that is being transmitted over an electronic communications network.52
  • CareXM should ensure that ePHI is not improperly modified without detection until disposed of.53
  • CareXM must address the need to encrypt ePHI whenever deemed appropriate54

38 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.310(a)(2)(iv)(c) 39 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.310(2)(i)
40 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.310(2)(ii)
41 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.310(2) (iiii) 42 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.310(2)(iv)
43 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.312(a)(1)
44 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.312(a) (2)(i)

45 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.312(a)(2)(ii)

46 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.312(a) (2)(iii)

47 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.312(a) (2)(iv)

48 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.312(a) (2)(b)
49 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.312(a) (2)(c)(1)

50 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.312(2)(c)(2)
51 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.312(2)(d)
52 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.312(2)(e)(1)
53 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.312(2)(i)
54 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.312(2)(ii)

12/13

Breach Notification Rule §§ 164.402

  • The HIPAA Breach Notification Rule55 requires CareXM to provide notification following a breach of unsecured PHI.
  • A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security of privacy of the PHI.
  • If a breach of unsecured protected health information occurs at or by CareXM, CareXM must notify the covered entity following the discovery of the breach. CareXM must provide notice to the covered entity without unreasonable delay and no later than 60 days from the discovery of the breach.
  • To the extent possible, CareXM should provide the covered entity with the identification of everyone affected by the breach as well as any other available information required to be provided by the covered entity in its notification to affected individuals.
  • Notice must include a description of the types of unsecured PHI that were involved in the breach.56

A Breach Excludes §§ 164.402(1)

  • Any unintentional acquisition, access or use of PHI by a CareXM workforce member or person acting under the authority of a covered entity or CareXM, if such acquisition, access, or use was made in good faith and within the scope or authority and does not result in further use or disclosure in a manner not permitted in this policy. 57
  • Any inadvertent disclosure by a person who is authorized to access PHI at CareXM to another person authorized to access PHI at the same organization and the information received as a result is not further used or disclosed in a manner not permitted by this policy58
  • An acquisition, access, use or disclosure of PHI is presumed to be a breach unless CareXM privacy office demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment of at least the following factors59
    • The extent to which the risk to the PHI has been mitigated60
    • Whether the PHI was acquired or viewed61
    • A review of the unauthorized person who used the PHI or to whom the disclosure was made62
    • The nature or extent of the PHI involved63

Notification to Individuals §§ 164.404 & §§ 164.410

  • A covered entity shall, following the discovery of a breach of unsecured PHI notify everyone whose unsecured PHI has been accessed, acquired, used, or disclosed. CareXM will report all breach finding that it is responsible for to the Covered entity64
  • A breach shall be treated as discovered by CareXM as of the first day on which such breach is known to CareXM or by exercising reasonable diligence, would have been known to CareXM.
  • CareXM shall be deemed to have knowledge of a breach if the breach is known or would have been know, to any person, other than the person committing the breach who is an employee, officer, or other agent of CareXM65
  • CareXM shall provide the notification required herein without unreasonable delay and in no case later than 60 calendar days after discovery of a breach66
  • The notification required herein shall include, to the extent possible, the identification of everyone whose unsecured PHI has been or is reasonably believed by CareXM to have been accessed, acquired, used, or disclosed during the breach.67
  • CareXM shall provide the covered entity with any other available information that the covered entity is required to include in its notification to the individual68

55 HIPAA Final Privacy Rule, 45 C.F.R. §§ 160.402-414

56 HIPAA Final Privacy Rule, 45 C.F.R. §§ 160.410(1)-(2)

57 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.402(1)(i)

58 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.402(1)(ii)

59 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.402(2)(1)
60 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.402(2)(1)(iv)

61 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.402(2)(1)(iii)

62 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.402(2)(1)(ii)

63 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.402(2)(1)(i)

59 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.402(2)(1)
60 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.402(2)(1)(iv)

61 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.402(2)(1)(iii)

62 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.402(2)(1)(ii)

63 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.402(2)(1)(i)

64 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.410(a)
65 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.410(a)(2)
66 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.410(a)(2)(b)

67 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.410(a)(2)(c)(1)

68 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.410(a)(2)(c)(2)

14/15

Business Associates: Permitted Uses and Disclosure §§ 164.502(a)(3)

  • CareXM is governed by the Business Associate Agreement that it enters with a covered entity. As such CareXM may use or disclose PHI only as permitted or required by its business associate contract or as required by law without authorization.69
  • If a member wants to have their PHI disclosed to the member portal for use in making medical payments for treatments performed, an opt-in authorization is required.70
  • CareXM, as a BA, only uses or discloses PHI in accordance with the terms of a BAA or an individual authorization collected from Participants by or on behalf of a CE.
  • Authorizations have an expiration date and as such when that date has passed authorization for disclosure is no longer valid. 71 In the case of a member of CareXM’s HSA the member must give authorization to have their Claims information displayed in the portal. Since some states have an authorization expiration as short as one-year, CareXM will abide by the least common time frame and expire authorizations after one year.

Business Associates: Required use and Disclosures §§ 164.502(a)(4)

CareXM is required to disclose PHI under the following situations:

  • When required by the Secretary to investigate or determine CareXM’s compliance with the federal regulation72
  • To the covered entity, individual, or individual’s designee as necessary to satisfy a covered entity’s obligations to disclose information with respect to an individual’s request for an electronic copy of PHI73

Business Associates: Prohibited uses and disclosure §§ 164.502(5)

  • CareXM shall not use genetic testing for pre-employment qualifiers.
  • CareXM shall not use genetic information for the determination of eligibility for or benefits under the plan. 74
  • CareXM is prohibited from using genetic information to compute premiums or contribution amounts under their health plan coverage.75
  • CareXM is prohibited from using genetic information to exclude an employee on conditions of a preexisting condition.76
  • CareXM may not sell PHI except under the following situations:
    • CareXM has received authorization from the individual to do so77
    • To or by a CareXM for activities that CareXM undertakes on behalf of the covered entity, or on behalf of a business associate in the case of a subcontractor and the only remuneration provided is by the covered entity to the business associate, or by the business associate to the subcontractor.78
    • Required by law
    • For any purpose legally permitted where the only remuneration received by the covered entity or business associate is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI.79

69 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.508(a)

70 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.504(e)(2)(i)(A)

71 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.508(2)(i)

72 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.502(a)(4)(i)

73 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.502(a)(4)(ii)

74 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.502(a)(5)(i)

75 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.502(1)

76 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.502(3)
77 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.502(a)(5)(ii)(A) and §§ 164.508(a)(4)

78 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.502(5(v))
79 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.502(5)(vii)

16/17

Sale of PHI §§ 164.502(a)(5)(ii)(A)

CareXM may not sell PHI80 unless:

  • CareXM obtains an authorization for any disclosure of PHI which is a sale of PHI. Such authorization must state that the disclosure will result in remuneration to the company 81
  • A covered entity may sell PHI to a business associate for activities that the business associate undertakes on behalf of a covered entity or on behalf of a business associate in the case of a subcontractor and the only remuneration provided is by the covered entity to the business associate or subcontractor if applicable82
  • CareXM may sale PHI to an individual when requested by that individual83
  • Required by Law84
  • For any other purpose permitted where the only remuneration received by CareXM is a reasonable cost-based fee to cover the cost to prepare and transmit the PHI.85

Minimum Necessary Use or Disclosure §§ 164.502(b)

  • CareXM will employ the Minimum necessary mindset when requesting, using, and disclosing PHI. CareXM must make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request86

Minimum Necessary Does Not Apply §§ 164.502(b)(2)

  • When making disclosures to the individual87
  • Disclosures made to HHS Secretary88
  • Uses and Disclosures that are required by law.89
  • Uses or disclosures that are required to determine compliance to the HIPAA regulation90

80 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.502(a)(5)(ii)
81 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.508(a)(4)(i)
82 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.502(a)(ii)2) (v)

83 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.502(a)(ii)2) (v)

84 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.502(a)(5)(B)(v)

85 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.502(a)(5)(B)(viii)

86 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.502(b)(1)

87 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.502(2)(ii)

88 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.502(2)(iv)

89 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.502(2)(v)

90 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.502(2)(vi)

18/19

Use and Disclosures of De-identified PHI §§ 164.502(d)(1)

CareXM will in all cases work with the covered entity to have verbiage in the BAA to allow CareXM to de identify the PHI it receives. This will protect the PHI that is used in a Dev, TEST, or staging environment. The Privacy Rule does not apply to information that has been “de-identified”.

  • Health information that does not identify an individual is no longer considered individually identifiable health information.91
  • The Privacy Rule provides two methods for de-identifying data:
    • Remove the data elements listed in the rule (see below), or
    • Have an expert certify that the risk of re-identifying the individuals is very small.
    • Some BAAs contain language that specify that data can only be De-identified when it has permission from the CE to do so and for what purposes the data will be De-identified. 92 CareXM will push to be able to de-identify PHI to further protect its members.
    • If CareXM has de-identified information that they have re-identified, this information is again considered PHI and CareXM may use or disclose such re-Identified information only as permitted by the BAA 93

Use and Disclosure Where Authorization is Not Required §§ 164.512

Generally, disclosures of PHI will be conducted by the covered entity, however, the covered entity or Law Enforcement may reach out to CareXM. CareXM will respond in the following manner.

  • CareXM may use or disclose protected health information to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law.94 Disclosures for law enforcement purposes are permitted as follows: To comply with a court order or court ordered warrant, a subpoena or summons issued by a judicial officer, or a grand jury subpoena. 95 When a warrant or subpoena is issued CareXM will disclose only the minimum amount of PHI required.
  • To respond to an administrative subpoena or investigative demand or other written request from a law enforcement official. This must be accompanied by a written statement that the information requested is relevant and specific and limited in scope and de-identified information cannot be used.96
  •  To respond to a request for PHI for purposes of identifying or locating a suspect, fugitive, material witness or missing person, but the covered entity must limit the PHI to name, address, date and place of birth, SSN, date and time of treatment, data and time of death.97
  • To report PHI to law enforcement when required by law to do so98
  • To report PHI that the covered entity in good faith believes to be evidence of a crime that occurred on the premises99
  • To federal officials authorized to conduct intelligence, counterintelligence and national security activities under the National Security Act100 or to provide protective services to the President and others.101
  • To respond to a request for PHI by a correctional institution or a law enforcement official having lawful custody of an inmate if such PHI is needed to provide health care to the individual.102

91 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.502(d)(2)

92 A Health Information Organization (HIO), as a business associate, may only use or disclose protected health information (PHI) as authorized by its business associate agreement with the covered entity. See 45 C.F.R. § 164.504(e). The process of de-identifying PHI constitutes a use of PHI. Thus, a HIO may only de-identify PHI it has on behalf of a covered entity to the extent that the business associate agreement authorizes the HIO to do so. However, once PHI is de-identified in accordance with the HIPAA Privacy Rule, it is no longer PHI and, thus, may be used and disclosed by the covered entity or HIO for any purpose

93 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.502(d)(2)(ii)

94 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.512(a)(1)
95 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.512(f)(1)(ii)(A)-(B)

96 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.512(f)(1)(ii)(C)
97 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.512(f)(2)
98 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.512(f)(1)(i)
99 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.512(f)(5)
100 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.512(k)(2)
101 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.512(k)(3)
102 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.512(k)(5)

20/21

Identifying PHI §§ 164.514(a)(2)(i)

Following are the criteria for determining when information held by CareXM should be treated as PHI. CareXM will treat as PHI any RA information that relates to a Participant’s health condition, identifies a Participant, or for which there is reasonable basis to believe the information can be used to identify the Participant, and limit the use and disclosure of such information.

  1. CareXM will protect the use and disclosure of a Participant’s individually identifiable health information by treating certain identifiers as PHI. The identifiers pertain to the Participant, as well as the Participant’s family members, employers or household members and include but are not limited to:
    • Names.
    • Geographic designations smaller than a state, including street address, city, county, precinct, and zip code (except that the first three digits of the zip code may be used if the area has more than 20,000 residents).
    • All elements of dates (except for year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death, and age (although the year of age may not be used if the age is over 89 unless aggregated into a single category of age 90 or older).
    • Telephone numbers.
    • Fax numbers.
    • Email addresses.
    • Social Security numbers.
    • Medical record numbers.
    • Health plan beneficiary numbers.
    • Account numbers.
    • Certificate/license numbers.
    • Vehicle identifiers, serial numbers, and license plate numbers.
    • Device identifiers and serial numbers.
    • Web Universal Resource Locators (URLs) and Internet Protocol (IP) addresses.
    • Biometric identifiers, such as fingerprints.
    • Full-face photographs and any comparable images.
    • Any other unique identifying number, characteristic, or code.
  2. If individually identifiable health information is “de-identified,” it is no longer treated as PHI. Team Members may de-identify information by removing all identifiers described above.
  3. CareXM may only use or disclose de-identified information for the purposes of research, public health, or Health Care Operations or to a business associate who has submitted the appropriate documentation as required in a Business Associate Agreement.
  4. All requests for de-identified information should be submitted to the Privacy Official for review.

Access of Individuals to PHI §§ 164.524

An individual has a right to access, inspect and obtain a copy of PHI about the individual in a designated record set for as long as the PHI is maintained in the designated record set. CareXM will follow the guidance of the covered entity when a request to disclose is made by one of its RA members. HSA’s are not governed by these same requirements.

22/23

Right to Amend PHI §§ 164.526

An individual has the right to have a covered entity amend PHI or a record about the individual in a designated record set for as long as the PHI is maintained in the designated record set. CareXM will amend record sets as directed by the covered entity103

Right to Access and Accountings of Disclosures §§ 164.528

Under the Privacy Rule, individuals have the right to access a copy of their own PHI from a CE or BA. The right applies to PHI kept in a “designated record set,” which is broadly defined and includes medical records, billing records, and other records. Only a few exceptions exist that would prevent access. Also, Participants have a right to receive an accounting of certain disclosures of their PHI that have been made. Participants also have the right to amend PHI possessed by a CE and its BA.

CareXM will facilitate Participant access and amendments, in accordance with applicable BAAs and the directives of relevant CEs and may charge a reasonable amount to cover the costs of providing access. See the Accounting of Disclosures section of this Policy for more information.104

103 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.526

104 HIPAA Final Privacy Rule, 45 C.F.R. §§ 164.528(a)

24

II. Document Revision History

Revision NumberRevision DateRevised By
A6-20-2020Kris Lundell
B02-05-2021Kris Lundell
C12-27-2022Kris Lundell

25

Privacy Notices

California Privacy Notice

CALIFORNIA PRIVACY NOTICE UNDER THE CALIFORNIA CONSUMER PRIVACY ACT (CCPA)

EFFECTIVE DATE: December 26, 2022

Please read this Privacy Notice carefully.

THIS CALIFORNIA PRIVACY NOTICE SUPPLEMENTS OUR GENERAL PRIVACY POLICY1 AND ONLY APPLIES TO USERS WHO ARE RESIDENTS OF THE STATE OF CALIFORNIA AND WHO EITHER (A) RECEIVE SERVICES DIRECTLY FROM CAREXM, LLC, A DELAWARE LIMITED LIABILITY COMPANY (“COMPANY,” “WE,” or “US”), OR (B) ARE USERS OF THE SITES.

This California Privacy Notice has been adopted to comply with the California Consumer Privacy Act of 2018, as amended (together with all applicable regulations, “CCPA”), and terms defined in the CCPA have the same meaning when used in this Notice, unless those terms have been otherwise defined in the general Privacy Policy.2 Accordingly, this Privacy Notice should be reviewed in conjunction with our general Privacy Policy.3

We will not sell the personal information we collect. We also will not share the personal information with third parties for cross-contextual behavioral advertising. We will not sell the sensitive personal information we collect. We also will not share it with third parties for purposes of cross-contextual behavioral advertising.

What Information Do We Collect and Disclose?

We collect information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device (“personal information”). We have collected the following categories of personal information and sensitive personal information from consumers within the last twelve (12) months:

1 Place link to the privacy policy

2 Place link to the privacy policy

3 Place link to Privacy Policy

What Information Do We Collect and Disclose?

We collect information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device (“personal information”). We have collected the following categories of personal information and sensitive personal information from consumers within the last twelve (12) months:

CategoryExamplesCollectedRetention
A. Personal Information and Identifiers.Real name, postal address, email address, telephone numbers, account name, social security number, driver’s license or state identification card number, passport number or other similar information, physical characteristics or description, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.YES6 years
B. Protected Class InformationAge (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information).YES6 years
C. Commercial Information.Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.NO
D. Biometric Information.Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data.NO
E. Internet and Network Information.Browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement.NO
G. Sensory Information.Audio, electronic, visual, thermal, olfactory, or similar YES information.YES6 years
H. Employment Information.Current or past job history or performance evaluations.YES6 years
I. Non-Public Education InformationEducation records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.NO
J. Profile Information.Profile reflecting a person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.NO

We do not collect, and for the previous 12 months have not collected, sensitive personal information as defined under the CCPA with the purpose of inferring characteristics about a consumer.4

Please Note: Personal information, as defined by the CCPA, does not include publicly available information from government records, de-identified or aggregated consumer information, or information excluded from the CCPA’s scope, such as (i) health or medical information covered by the Health Insurance Portability and Accountability Act and the California Confidentiality of Medical Information Act or clinical trial data, and (ii) personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, the California Financial Information Privacy Act, and the Driver’s Privacy Protection Act of 1994, among others. Accordingly, this Privacy Notice is not applicable to foregoing information.

4 The CCPA has been recently revised to include a new category of sensitive personal information. For purposes hereof, we only need to disclose that we collect and use sensitive personal information if we collect sensitive personal information for the “purpose of inferring characteristics” about the consumer.

If we merely collect sensitive personal information (x) as a covered entity pursuant to HIPAA or (y) incidentally while collecting personal information, then we do not need to treat the sensitive personal information any differently. The CPRA expects the California Privacy Protection Agency to issue regulations that further clarify when sensitive personal information might qualify for this exception. As of today, the agency has yet to provide such clarifying regulations.

For purposes of clarity, sensitive personal information includes the following:

  • Government Identifiers, such as social security, driver’s license, state identification card, or passport number.
  • Account access credentials, such as usernames, account numbers, or card numbers combined with required access/security code or password.
  • Precise Geolocation.
  • Racial or ethnic origin.
  • Religious or philosophical beliefs.
  • Union membership.
  • Genetic data.
  • Mail, email, or text messages contents not directed to us.
  • Unique identifying biometric information
  • Health, sex life, or sexual orientation information.

How Do We Collect Information? We collect information from you for the purpose of treatment or healthcare operations. We collect this data through your interaction with our call center agents, or as an employee of CareXM LLC. For more information regarding our data collection practices please read our general Privacy Policy.5

Why Do We Collect and Process Information? We collect and process personal information for business purposes such as treatment and healthcare operations. To learn more about why we collect and process information, please review our general Privacy Policy.6

Do We Share Information with Third Parties? As a rule, we do not share information with third parties. We use third party providers to store information but limit their access to personal information.

We take reasonable precautions to be sure that affiliates and non-affiliated third-party service providers, whose tools we use to process your personal information are aware of our privacy policies and will treat the information in a similarly responsible manner. We maintain Business Associate Agreements with all of our third-party providers to ensure that data that is captured by their tools is secured with Confidentiality, Integrity and Availability.

Do We Sell Your Information? No. we do not sell any of your personal information to any third party.

Do We Share Your Information for Cross-Contextual Behavioural Advertising Purposes? No. Although we share data with third parties as outlined the Privacy Policy and this CCPA Privacy Notice, we do not share your personal information for cross-contextual behavioural advertising purposes.7

5 Add link to privacy policy
6 Add link to privacy policy
7 NTD The CCPA defines “cross-contextual behavioral advertising” as sharing personal information of a consumer with a third party for the purpose of “targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity across businesses, distinctly-branded websites, applications, or services, other than the business, distinctly-branded website, application, or service with which the consumer intentionally interacts.”

Under CCPA, as amended by CPRA, a “third party” is defined in the negative. That is, a third party is defined by what it is not, rather than being defined by what it is. CCCPA, as amended by CPRA, third party means a person who is not any of the following: (a) a service provider, (b) a contractor, and (c) the company “with whom the consumer intentionally interacts and that collects personal information form the consumer as part of the consumer’s current interaction with” the company.

  • The CCPA defines “service provider” as a person that processes personal information on behalf of a business and to that receives from or on behalf of the business a consumer’s personal information for a business purpose pursuant to a written contract, provided that the contract, among other requirements, prohibits the service provider from: (a) selling or sharing the personal information for cross-contextual behavior advertising purposes; (b) retaining, using, or disclosing the personal information for any purpose other than for the business purposes specified in the contract; (c) retaining, using, or disclosing the information outside of the direct business relationship between the service provider and the business; and (d) combining the personal information that the service provider receives from, or on behalf of, the business with personal information that it receives from, or on behalf of, another person or persons, or collects from its own interaction with the consumer.
  • The CCPA defines “contractor” as a person to whom the business makes available a consumer’s personal information for a business purpose, pursuant to a written contract with the business, provided that the contract, among other requirements, prohibits the contractor from: (a) selling or sharing for cross-contextual behavior advertising purposes; (b) retaining, using, or disclosing the personal information for any purpose other than for the business purposes specified in the contract; (c) retaining, using, or disclosing the information outside of the direct business relationship between the contractor and the business; and (d) combining the personal information that the contractor receives pursuant to a written contract with the business with personal information that it receives from or on behalf of another person or persons, or collects from its own interaction with the consumer.

How Do We Protect Personal Data? We protect data using administrative, technical, and physical safeguards. When we use third-party service providers, we ask those providers to implement similar safeguards. However, we cannot guaranty that your information is completely secure either within Company or on the systems of third-party service providers.

How Long Do We Keep Your Personal Data? We retain personal data we collect from you when we have an ongoing legitimate business need to do so (i.e., to provide you with the Services you have requested or to comply with applicable legal requirements). When we no longer have an ongoing legitimate business need to process your personal information, we will physically destroy, delete archive it to ensure that access to the data is no longer possible.

What Are My California Consumer Rights? If you are a California resident and are engaged in a direct business relationship with Company as a consumer for provision of the Sites or Services, you may have the following rights:

Right to Know and Data Portability. You may request that we provide to you certain information about our collection and use of your personal information for the 12 month period preceding your request, such as (i) the categories of personal information we collected about you; (ii) the categories of sources from which we collected such personal information; (iii) the purposes for collecting your personal information; (iv) the categories of third parties with access to your personal information, if any; (v) if we sold or disclosed your personal information for a business purpose, two separate lists disclosing (x) sales, identifying personal information categories that each category of recipient purchased, and (y) disclosures for a business purpose, identifying the personal information categories that each category of recipient obtained; and (vi) the specific pieces of personal information we collected about you (also called a data portability request).

Though you may request specific pieces of your personal information that we have collected, we may not provide the following information in order to protect the security of such information: social security numbers, driver’s license or other state or government issued identification numbers, bank account numbers or other financial information, any health insurance or medical identification numbers or related information, account passwords or security questions and answers.

  • Right to Request Deletion. Under certain, limited circumstances, you may request that we delete personal information that we have collected from you or maintain about you. Once we receive your request and confirm your identity, we will review your request to see if an exception allowing us to retain the information applies. We may deny your deletion request if retaining the information is necessary for us or our service providers to:
    • Complete the transaction for which we collected the personal information, provide the Services that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, fulfill the terms of a written warranty or product recall conducted in accordance with federal law, or otherwise perform our contract with you.
    • Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
    • Debug products to identify and repair errors that impair existing intended functionality.
    • Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
    • Comply with the California Electronic Communications Privacy Act.
    • Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent.
    • Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
    • Comply with a legal obligation.
    • Make other internal and lawful uses of that information that are compatible with the context in which you provided it.

How Do I Submit a California Rights Request? If you are a California Resident and you have a direct business relationship with Company or use the Sites, you may make a request pertaining to the rights described above by clicking here for a Request for Disclosure8 and emailing the Request to the email address listed below:

Email Address: Compliance@carexm.com

Mailing Address: 3098 Executive Parkway,Suite 100 Lehi, UT 84043

NOTE: Please include any
passwords or special
instructions in your request

PLEASE NOTE THAT YOUR REQUEST WILL NOT BE PROCESSED UNTIL YOUR IDENTITY HAS BEEN VERIFIED. ONCE YOUR IDENTITY HAS BEEN VERIFIED, YOUR REQUEST WILL BE PROCESSED IN ACCORDANCE WITH THE CCPA. IF NECESSARY, WE WILL PROVIDE ADDITIONAL DETAILS AND DIRECTIONS ON IDENTITY VERIFICATION, AND AS APPROPRIATE, UPON RECEIVING YOUR REQUEST.

With respect to your California Rights Request, please also note the following:

  • If you choose to email or mail your request, please include “California Privacy Rights Request” in the subject line.
  • We will confirm receipt of your request within 10 business days. If you do not receive confirmation with the 10-business day timeframe, please contact CareXM @ 866-256-1499.
  • Once we have verified your identity, we will respond to your request within 45 days. If we require more time (up to an additional 45 days), we will notify you in writing of the reason and the extension period.
  • Making a verifiable consumer request does not require you to create an account with us, and we will only use personal information provided in a verifiable consumer request to verify your identity or authority to make the request.
  • Any disclosures we provide will only cover the 12-month period preceding our receipt of your request. The response we provide will also explain the reasons we cannot comply with a request, as applicable. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from entity to another entity without hindrance.
  • We, at our option, may not respond to more than two requests in a 12-month period.
  • We do not charge a fee to process or respond to your request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

What are My Personal Information Sales and Sharing Opt-Out and Opt-In Rights? We do not sell personal information as defined under the CCPA, nor do we share personal information for cross-
contextual behavioral advertising purposes.

Do I have Right to Non-Discrimination? We will not discriminate against any consumer who has chosen to exercise their rights under the CCPA. Unless permitted by the CCPA, we will not deny you the Services, charge you different prices/rates for the Services (including through granting discounts or other benefit or imposing penalties), provide you a different level of quality of service, or suggest that you may receive a different price or rate for the Services or a different level or quality of Services.

Changes To This Privacy Notice: We reserve the right to amend this Privacy Notice at our discretion and at any time. We may make changes to the Privacy Policy without providing you prior notice. However, after we make any changes to this Privacy Policy, we will give notice to you via (i) the Sites or (ii), where feasible, and at our discretion, contact information available to us. We encourage you to periodically review this Privacy Policy to remain informed on how we are protecting your information. YOUR CONTINUED USE OF OUR SITES AND SERVICES FOLLOWING THE POSTING OF CHANGES CONSTITUTES YOUR ACCEPTANCE OF SUCH CHANGES.

How To Contact Us. If you have any questions regarding this Privacy Policy or exercising any of your privacy rights, please contact us at the telephone number, email address or mailing address listed below:
Telephone Number: 866-256-1499.
Email Address: Compliance@carexm.com

8 Add link to the CCPA disclosure form

I. Document Revision History

Revision NumberRevision DateRevised By
A12-27-2022Kris Lundell
Privacy Notices

Notice at Collection for California Employees

NOTICE AT COLLECTION FOR

CALIFORNIA EMPLOYEES AND INDEPENDENT CONTRACTORS

EFFECTIVE DATE: December 26th, 2022

Please read this Privacy Notice carefully.

THIS CALIFORNIA NOTICE AT COLLECTION SUPPLEMENTS OUR CCPA PRIVACY NOTICE AND ONLY APPLIES TO INDIVIDUALS WHO ARE RESIDENTS OF THE STATE OF CALIFORNIA AND ARE EMPLOYEES, CONTRACTORS OR PROSPECTIVE EMPLOYEES, CONTRACTORS OR APPLICANTS OF CAREXM, LLC, A DELAWARE LIMITED LIABILITY COMPANY (“COMPANY,” “WE,” or “US”).

We collect and use Personal Information for contracting, human resources, employment, benefits administration, health and safety, and business-related purposes and to be in legal compliance. Below are the categories of Personal Information we collect and the purposes for which we intend to use this information:

Identifying information, such as your full name, gender, date of birth, and signature.
Demographic data, such as race, marital status.
Contact information, such as your home address, telephone numbers, email addresses, and emergency contact information.
Dependents or other individual’s information, such as their full name, address, date of birth, and Social Security numbers (SSN).
National identifiers, such as SSN
Employment details, such as your job title, position, hire dates, compensation, performance and disciplinary records, and vacation and sick leave records.
Financial information, such as banking details, tax information, payroll information, and withholdings.
Health and Safety information, such as health conditions (if relevant to your employment), job restrictions, workplace illness and injury information, and health insurance policy information.
Information Systems (IS) information, such as your search history, browsing history, login information, and IP addresses on the Company’s information systems and networks.

Biometric information, such as facial recognition, or fingerprints
Geolocation data, such as time and physical location related to use of an internet website, application, device, or physical access to a Company office location.
Sensory or surveillance information, such as COVID-19 related temperature checks and call monitoring and video surveillance.
Profile or summary about an applicant/contractor/employee’s preferences, characteristics, attitudes, intelligence, abilities, and aptitudes.

The Company collects Personal Information to use or disclose as appropriate to:

  • Comply with all applicable laws and regulations.
  • Recruit and evaluate job applicants and candidates for employment.
  • Conduct background checks and evaluate you in deciding whether to hire or engage prospective employees and/or contractors.
    • Manage your employment or contracting relationship with us, including for: onboarding processes; timekeeping, payroll, and expense report administration; employee benefits administration; employee training and development requirements; the creation, maintenance, and security of your online accounts; reaching your emergency contacts when needed, such as when you are not reachable or are injured or ill; workers’ compensation claims management; employee job performance, including goals and performance reviews, promotions, discipline, and termination and other human resources purposes
  • Manage and monitor access to company facilities, equipment, and systems.
  • Conduct internal audits and workplace investigations.
  • Investigate and enforce compliance with and potential breaches of Company policies and procedures.
  • Engage in corporate transactions requiring review of employee and contractor records, such as for evaluating potential mergers and acquisitions of the Company.
  • Maintain commercial insurance policies and coverages, including for workers’ compensation and other liability insurance.
  • Perform workforce analytics, data analytics, and benchmarking.
  • Administer and maintain the Company’s operations, including for safety purposes.
  • For client marketing purposes.
  • Exercise or defend the legal rights of the Company and its employees and affiliates.

If you have any questions about this Notice or need to access this Notice in an alternative format due to having a disability, please contact Compliance@carexm.com or by phone 866-256-1499

Revision NumberRevision DateRevised By
A12-27-2022Kris Lundell
Privacy Notices
Products
CXM
About
Connect
Subscribe

Send me tips, trends, freebies, updates & offers.

This field is for validation purposes and should be left unchanged.
Privacy Notices
Products
CXM
About
Connect
Subscribe

Send me tips, trends, freebies, updates & offers.

This field is for validation purposes and should be left unchanged.

Copyright © 2024 CareXM | Powered by SolutionBuilt

Terms & Conditions | Privacy Policy | XML Sitemap

Scroll to Top