Page Title


1 Purpose 

The purpose of this Privacy and Personal Data Protection Policy (the “Policy”) is to outline how the  Company will protect Personal Data, including, without limitation, Protected Health Information as  defined by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), of its patients,  patient family members, other patient advocates and representatives, Company Personnel,  candidates for employment, and customers. 


2 Scope 

This Policy applies to healthAlign and its subsidiaries (collectively referred to as the “Company”).  This Policy applies to Company Personnel, including employees, temporary workers, and any  authorized representatives, contractors, or agents (collectively referred to as “Company Personnel”  or “You” or “you”). 

Personal Data is only collected, used, and disclosed by the Company in accordance with this  Policy. Personal Data may not be added to a Company Database unless it is collected and  processed in accordance with this Policy. 


All of the Company’s other personnel policies remain in full force and effect. Except to the extent in conflict with this Policy, the Company’s Employee Handbook, Code of Conduct and Ethics, and  other policies shall supplement this Policy. 


This Policy applies whether or not the activities are conducted from or the information is maintained  on the Company’s premises. 

This Policy establishes a minimum level of standards. 


If as part of your relationship with the Company you provide services directly to a customer of the  Company either at the customer’s facility or remotely, you will be subject to this Policy as well as  any similar policy issued by the customer. 

3 Definitions

Term Definition

“Company” healthAlign and its subsidiaries.

“Company Personnel”  or “You” or “you”Any employee or temporary worker of the Company and any  authorized representatives, contractors, or agents of the Company.


4 Collection, Notice, and Disclosure 


4.1.1 Collection of Personal Data: The Company collects Personal Data to operate effectively and to comply with state and federal regulations related to employment and the provision of patient care. The Company collects and maintains Personal Data from its customers, clients, and Company Personnel as defined above. The Company may also collect personal information that is voluntarily provided by users through Company web sites that allow users to set up an account or otherwise submit information for inquiry purposes. 

4.1.2 Personal Data – Employment: Personal Data about a Data Subject may be  collected and included in the following: Company interview notes; Information obtained through reference and background checks; Educational or professional accreditation records; Information necessary to provide payroll services, including banking  details, tax deductions, and vacation allowances; Information necessary to comply with laws or regulations (e.g. I-9 forms); Information about employees, temporary workers, and their respective  dependents and beneficiaries, as required, to enroll in any benefits packages; Reference letters; and Test results. 

4.1.3 Personal Data – Provision of Care and Services to Patients and Customers: We  may collect Personal Data from patients and customers solely for the purposes of  documenting patient care and obtaining payment for services or for providing service to  customers as further outlined in contractual agreements. 

4.1.4 Notice to Data Subjects Regarding Purpose: The Company notifies all identified  Data Subjects about the purposes for which Personal Data is collected and used. In  appropriate situations, however, Personal Data may be “de-identified” so that the identity of  individual Data Subjects cannot be known. In these cases, the Company will not notify the  Data Subjects regarding the purpose for which Personal Data is collected and used by the  Company. 

4.1.5 Requests for Personal Data: When requesting Personal Data (online or offline),  fields that are required to be completed by the Data Subject shall be identified as such. For  example, if the Data Subject is required to submit name and email address in order to  participate, but is also asked for physical address, employer, and title, the “name” and “email  address” fields shall be identified as required or mandatory fields and the consequences of  failure to complete these fields shall be indicated. 

4.1.6 Required Data Fields: The Company will only require that any data fields be  mandatory only where the Personal Data is necessary to achieve the stated purpose. 

4.2 Collection of Sensitive Data: Unless permitted or required by applicable law, Sensitive  Data may not be collected from anyone, including but not limited to patients, patient advocates and representatives, employees, temporary workers, and their respective dependents and  beneficiaries, prospective employees, customers, online visitors, business partners, and other  third parties, and may not be stored in the Company’s Databases or by vendors or other third  parties acting on the Company’s behalf. In some jurisdictions, an individual cannot validly  consent to the processing of Sensitive Data unless such processing is required by law. Patient  information designated as “sensitive”, such as psychotherapy notes or HIV/AIDS diagnosis,  shall be secured in a separate portion of the patient’s medical record and shall be disclosed  only when authorized to do so by the patient or their authorized legal representative; in response  to a court order; or when required to provide care, treatment, or services. 

4.3 Confidentiality of Personal Data: Personal Data is considered confidential and should  not be disclosed within the Company except to those employees who “need to know” and third party non-employees who “need to know” such information to satisfactorily perform their jobs  and have expressly agreed to protect its confidentiality. Those who “need to know” are those  who need the information to properly perform their jobs and could not be expected to do so  without access to such information. Generally, employees should exercise reasonable  diligence to avoid disclosure of Personal Data to third parties except when necessary and only  after appropriate security precautions are taken or the proper consent has been obtained. In  addition to using Personal Data internally, the Company may at times share this information  with third parties. The Company only shares Personal Data about Data Subjects that is relevant  to the Company’s legitimate business purposes or as required to meet legal and regulatory  requirements and at all times pursuant to a Permitted Use. All Personal Data transferred to a  third party shall be considered “confidential” unless otherwise specified. 

4.4 Protection of Patient Information: Information regarding patients shall not be displayed  in areas that are available to the public or unauthorized personnel. 


5 Choice and Consent

5.1 Use of Personal Data Limited to Purpose for Collection: Personal Data shall not be  collected or used for purposes other than the purpose for which the Data Subject supplied the  Personal Data, unless the Data Subject has consented to such other purpose. This will generally  be by Opt-In, except where Opt-Out is permitted under this Policy and applicable law. Where it  is allowed in accordance with this Policy, Opt-Out is only valid to the extent and for the purpose  of which the Data Subject has been informed at the time, and if subsequently a different purpose  is intended, then it is necessary to go back and inform the Data Subject providing a renewed  opportunity to Opt-Out. 


5.2 Opt-In Right: Where required by applicable law, Data Subjects shall be given the option  to Opt-In to use their Personal Data for purposes other than the purpose for which the Personal  Data was supplied. This includes all methods of collection, whether on-line, business replay or  other mail-back cards, or otherwise. Additionally, where required by applicable law, Data  Subjects shall be given the opportunity to Opt-In if the Personal Data is to be disclosed to a  third party.

5.3 Opt-Out Right: Where required by applicable law, a Data Subject shall be given the  opportunity to Opt-Out from allowing the Company to disclose Personal Data to a third party  and the choice of whether or not to allow the Company to use the Personal Data for purposes  incompatible with the purpose for which it was originally collected or authorized. The Company  reserves the right to require sufficient information to confirm the identity of the individual  requesting Opt-Out. 

5.4 Right to Withdraw Consent: Where required by applicable law, a Data Subject shall be  given the opportunity to withdraw consent at any time. This right cannot be conditioned or restricted. 

6 Use and Disclosure of Personal Data

6.1 Permitted Uses of Personal Data: Personal Data may not be used, collected, retained,  distributed, or disclosed except in accordance with a Permitted Use. The following are Permitted Uses: 

6.1.1 For payment and health care operations related to the coordination of patient  care; 

6.1.2 To provide the ability to contact the Data Subject; 

6.1.3 To comply with human resources requirements, including conducting workplace  investigations involving the Company or a customer of the Company; 

6.1.4 To comply with government regulations; 

6.1.5 To provide payroll and human resources functions, including employee benefits programs; 

6.1.6 To support recruitment inquiries; 

6.1.7 To facilitate the job search process and to help the Company find a suitable  temporary or permanent job match for the Data Subject, including providing Personal Data  to customers of the Company to facilitate the temporary or permanent placement process; 

6.1.8 To measure the number of users and usage of our web sites; 

6.1.9 To store information about the Data Subject’s online preferences; 

6.1.10 To recognize when the Data Subject returns to our web sites; 

6.1.11 To provide the Data Subject with information on goods and services requested  or which may interest the Data Subject, where the Data Subject has consented to be  contacted for such purposes; 

6.1.12 For notification of events, surveys, workshops, and training sessions run by the Company;

6.1.13 To notify the Data Subject about changes to our services; 

6.1.14 Pursuant to a consent from the Data Subject; and 

6.1.15 Where the disclosure of Personal Data is permitted or required by law  (collectively and individually a “Permitted Use”). 


6.2 Fair and Lawful Processing of Personal Data: Personal Data shall be processed fairly and lawfully using only the minimum amount necessary to perform an assigned task. Personal  Data shall be collected, used, and disclosed for a specified, explicit, and legitimate purpose and  not further processed in a way incompatible with that purpose. 


6.3 Accuracy of Personal Data: Personal Data shall be accurate and, where necessary, kept  up to date. Every reasonable step shall be taken to ensure that data, which is inaccurate or  incomplete, with regard to the purposes for which it was collected and for which it is further  processed, is erased or rectified. 


6.4 Retention of Personal Data: Personal Data shall be kept in a form that permits  identification of Data Subjects for no longer than is necessary for the purposes for which the  data was collected or for which it is further processed. Once the Personal Data is no longer  needed for legal or legitimate business purposes, the Company shall destroy or de-identify the  Personal Data in accordance with the Company’s Records RetentionPolicy. 


6.5 Photographs, Digital Images, and Recording: 

6.5.1 All business-related photographs, film, videotape, and digital photography  require proper written consent. No person may photograph a patient, family, or caregiver  without first obtaining proper consent or authorization from the Privacy Officer. 

6.5.2 The use of personal cellular phones, cameras, or other electronic devices to  record any patient, family, or caregiver information, for any purpose is strictly prohibited. 

7 Data Security 

7.1 Security Measures for Personal Data: The Company will strive to provide security that  is proportional to the sensitivity of the Personal Data being protected. The following technical,  administrative, and organizational measures shall be implemented and observed to protect  Personal Data from accidental or unlawful destruction; from accidental loss, alteration,  unauthorized disclosure or access; and against all other unlawful forms of processing. At all  times, Personal Data shall be handled according to the Company Information Security Policy. 

7.1.1 Restricted and Secured Access: All Personal Data shall be kept secure with  restricted access. Access to Personal Data shall be restricted via use of secure files, locks,  cabinets, passwords, etc. and limited to those with a legitimate business purpose related to  a Permitted Use.

7.1.2 Database Identification: Databases shall identify the Permitted Uses of the  Personal Data. 

7.1.3 Disclosure of Personal Data to Third Parties: The Company may not always be  able to control how Personal Data will be handled by a third party. Where required by  applicable law, however, prior to the disclosure of Personal Data to a third party, the  Company will obtain a written agreement from the third party obligating the third party to  provide the same level of administrative, physical, and technical safeguards to protect  Personal Data as used by the Company and requiring the third party to return to the  Company or certify adequate destruction of the Personal Data when the third party ceases  to be a data processor of the Personal Data. Where required by applicable law, this  agreement shall restrict the third party’s use of the Personal Data to only the purposes for  which it was obtained. Additionally, when appropriate or required by applicable law, the  Company shall be given the contractual right to periodically audit third-party vendors’ use,  processing, storage, and destruction of PersonalData. 

7.1.4 Third-Party Obligations Regarding Personal Data Breaches: As part of the  overall effort to adequately protect Personal Data, when appropriate or required by  applicable law, third parties shall be contractually obligated to notify the Company promptly  following an actual or reasonably suspected privacy or security breach, including the  unauthorized access, use, modification, or transfer of Personal Data. When appropriate,  third parties shall also be contractually obligated to cooperate with the Company in the event  of an actual or reasonably suspected privacy or security breach. 

7.1.5 Original paper records shall be filed and shall not be removed from the office  except by court order or for transfer to and from storage facilities or other authorized sites as needed to accomplish the day-to-day business of the Company. Records shall be stored  in a manner that minimizes the possibility of damage from theft, wind, fire, and water. 

7.1.6 All personnel records will be kept in a locked cabinet or room when not being  utilized. Officer Leadership will be responsible for the key. No unauthorized individual will  be allowed access to records. 

7.1.7 Records may be photocopied by authorized employees as necessary to  accomplish the day-to-day business of the Company. Where possible and as necessary,  Personal Data, including but not limited to an individual’s name, email address, work or  home telephone number, home postal or other physical address, birth date, drivers’ license  number or other municipality-issued identification card number, social security number or  other national identification number, financial account, credit card or debit card number, or  other information that enables identification of a person or individual, shall be removed or  otherwise redacted (blackened out) for privacypurposes. 


7.2 Documentation being placed in the mail shall be secured in proper envelopes,  addressed to the office, and contain adequate postage for delivery.

8 Training of Company Personnel Regarding Policies 

Company Personnel who access Personal Data shall be regularly trained on the Company’s  Privacy and Personal Data Protection Policy, Online Privacy Policy, and the appropriate use and safeguarding of Personal Data. 

8.1 Training of Company Personnel Regarding Security Procedures for Personal Data:  Company Personnel shall be trained to take reasonable precautions to physically secure  Personal Data. The Company shall establish and maintain physical and environmental controls  as needed for each facility that employees should be aware of and follow.

9 Data Access

9.1 Review of Personal Data by Data Subjects: Personal Data shall be available to Data  Subjects for review and update by one of the following methods. 

9.1.1 Indirect Review of Personal Data: Indirect methods include an email alias to  which Data Subjects can submit requests to update their Personal Data or their preferences  or a phone number that the Data Subject can call. 

9.1.2 Example: The following language, appearing on a web page, is an example of an indirect method of access: “If you have submitted personal information to the Company  via our web site and would now like to have that information updated, please send an email  to [insert name of alias]” 

9.1.3 Direct Review of Personal Data: Direct methods include password-protected  access to Databases for online updating by Data Subjects of their Personal Data. 

9.1.4 Example: Registered Applicants can review and update their Personal Data by  accessing a self-service portal. 

9.2 Requests to Access, Use, or Disclose Personal Data: As required or permitted under  applicable state and federal laws, Data Subjects may make a written request for access to or  release of their Personal Data that the Company holds for them. The Company reserves the  right to redact protected information in order to give Data Subjects access to their Personal 


9.2.1 Each request to access, use, or disclose Personal Data shall be reviewed and managed in accordance with the Company’s GUIDELINES FOR RESPONDING TO  REQUESTS/SUBPOENAS FOR ACCESS TO, AMENDMENT OF AND/OR RELEASE OF  PATIENT AND EMPLOYMENT RECORDS. 

9.3 Request for Amendment or Correction: As required or permitted under applicable state  and federal laws, Data Subjects have the right to have their Personal Data corrected, amended,  or deleted as appropriate where it is inaccurate. All requests for amendments or corrections to a medical record shall be submitted to the Privacy Officer.

10 Use of Cookies, Web Bugs, and Similar Technologies 

10.1 Right to Refuse Cookies: Users shall be given the opportunity to refuse cookies. The  use of cookies to collect Personal Data shall always be optional to an online visitor to the  Company’s web sites. Visitors shall be able to enter and use the Company’s websites with  their browsers set to refuse cookies. Those who refuse cookies, however, may not be able to  take full advantage of the Company’s web sites and, if this is the case, visitors should be  made aware of that fact. 


10.2 Use of Cookies or Web Bugs on Company Sites: When utilizing cookies or web bugs,  also known as web beacons, on the Company’s sites, Company Personnel shall ensure users  are given clear and precise information (1) that cookies or web bugs are used to collect Personal  Data; (2) in what instances cookies or web bugs will be used to collect Personal Data; (3) what  information will be stored in a cookie or web bug, and, if applicable, 

(4) that cookies or web bugs are placed on the Company’s web sites by third parties; and (5) a  disclosure of any transfer of Personal Data collected by a Company cookie or web bug to third  parties, including contractors and vendors. Any collection of Personal Data by third- party  cookies or web bugs and any transfer to third parties of information collected by the Company’s  cookies and web bugs for purposes unrelated to the reason for which the Personal Data was  initially collected require that Data Subjects Opt-In to such transfers. The Company will  disclose all uses of tracking technology, whether cookies, web bugs, or similar technologies, up  front and explain to users how they may disable cookies, web bugs, or the similar technology  being used via their browsers. 


10.3 Notice to Users Regarding Cookies or Web Bugs: Users should be directed to wording  similar to the following on web sites where cookies or web bugs are used to collect Personal Data: 

“A cookie is a small data file that certain web sites write to your hard drive when you visit them. A  cookie file can contain information such as a user ID that the site uses to track the pages you have visited. 

A web bug is a graphic on a web page or email that gathers information about the computers that  view the web page or email. A web bug can collect your IP address and the time you viewed the web  site or email. 

Neither of these devices can read data from your hard disk or read cookie files created by other sites  other than as described above. Some parts of the Company’s web sites use cookies and web bugs  to track user traffic patterns on the Company’s site. The Company does this in order to determine the  usefulness of our web site information to our users and to see how effective our navigational structure  is in helping users reach that information. 

If you prefer not to receive cookies or web bugs while browsing our web site, you can set your browser to warn you before accepting cookies or web bugs and refuse them when your browser alerts you to  their presence. 

You can also refuse all cookies and web bugs by turning them off in your browser, although you may  not be able to take full advantage of the Company’s web sites if you do so. You do not need to have  cookies turned on to use/navigate through many parts of the Company’s web site, except access to  certain of the Company’s web pages require a login and password. 

You can typically find information on how to adjust your cookie preferences for popular browsers at  each browser’s support site. 

11 Click-through Tracking

11.1 Collection of Non-Personal Data: Where possible, the Company will collect only non Personal Data if click-through tracking is being used on a site. 

11.2 Collection of Personal Data: If Personal Data will be collected, click-through tracking or  other forms of online tracking are not permitted unless: 

11.2.1 Meaningful Disclosure: The Company provides Data Subjects with a meaningful  disclosure about what tracking is being conducted, what information or Personal Data is  being collected, how it is used, and how a Person can Opt-Out; 

11.2.2 Method for Opt-Out: The Company provides Data Subjects with a clear and  unambiguous method for Opting Out; and 

11.2.3 Security and Storage of Personal Data: The information or Personal Data  collected shall be secure and kept for no longer than necessary for the stated purpose. 

11.2.4 Use of Personal Data for Different Purpose: Before the Company uses the  information or Personal Data in a manner that is materially different from what was stated  when the data was collected, where required by applicable law, it will obtain the affirmative  express consent (Opt-In) from the Data Subject. 

11.3 Collection of Sensitive Personal Data: Sensitive Personal Data shall not be collected for  use in marketing unless the appropriate consent is obtained in jurisdictions where consent is  allowed to be obtained.

12 Sale of Personal Data

It is against the Company’s policy to sell or rent Personal Data that the Company maintains  about Data Subjects, including but not limited to its employees, temporary workers, and their  respective dependents and beneficiaries, prospective employees, customers, prospective  customers, clients, online visitors, or business partners. 

13 Agreements with Vendors of Personal Data and Providers of Services

13.1 Company Policy with Vendors: The Company’s policy is to do business with companies that  respect the privacy of Data Subjects. Where appropriate, vendors and business partners that  handle or manage Personal Data for the Company or host web sites or applications for the  Company should have appropriate Privacy Statements on their web sites and follow policies  regarding the collection and use of Personal Data which are at least as restrictive as the  Company’s Privacy and Personal Data ProtectionPolicy. 

13.2 Procurement of Personal Data from Vendors: It is essential that vendors who are selling or  passing on Personal Data have the right to do so for the purposes for which the Company needs  it. To ensure this, appropriate agreements shall be signed. No list may be purchased or rented  for use by the Company unless the vendor represents and warrants that the Personal Data  was collected in a manner that conforms with applicable law and which permits the use for  which the Personal Data is procured. 

13.3 Recordkeeping Requirement for Procurement of Personal Data: Any Company Personnel  receiving Personal Data from a third party shall maintain adequate records of lists rented or  purchased so as to be able to identify the source of the Personal Data.

14 Persons under the Age of 18 and 13

14.1 Persons under the age of 18: The Company’s policy is not to collect Personal Data from  individuals under the age of 18 without the consent of their parents. 

14.2 Persons under the age of 13: The Company’s policy is not to collect Personal Data from  children under the age of 13 (Minor Children). Any deviation from this Policy requires approval  from the Legal Department. 

15 Spam and Email Marketing

15.1 Spam and Email Marketing Guidelines: Spam, generally speaking, is the unlawful  practice of sending commercial email to persons with whom one has had no prior business or  personal relationship or sending email without a truthful reply path. Email Marketing shall  adhere to the following: 

15.1.1 Truthful Information: All information regarding the point of origin, the  transmission path, and the return path, shall be truthful, meaning the reply path of the email  shall return to the Company when the recipient sends a “reply to” email. 

15.1.2 Consent by Recipient: No email may be sent to a recipient who has not  consented to receiving the email in accordance with this Policy, or who has unsubscribed  after initially Opting In from receiving emails from the Company. 

15.1.3 Adherence to Opt-Out: No email may be sent to an individual who has Opted  Out by requesting to be listed on a do-not-email list. 

15.1.4 Unsubscribe Information: All email sent by the Company as part of an email to  a mailing list shall contain instructions (in a type size at least as large as the text of the  email) on how to unsubscribe from receiving future marketing email. Unsubscribe requests  shall be honored within ten (10) business days. 

15.1.5 Email Addresses in Database: Email addresses cannot be entered into a  Database unless the Data Subjects have Opted In to receiving email from the Company. 

15.1.6 Entity Information: Emails should include the Company entity’s name, physical  address, and either a toll-free number or an email address for use by individuals who wish  to Opt-Out from receiving future emails. 

16 Data Retention and Cleaning

16.1 Compliance with Laws and Policy: The Company will retain Personal Data as long as  required by law, by regulation, and in accordance with its Record Retention Policy. A customer  of the Company may also require that the Company keep or destroy Personal Data in  accordance with the customer’s data retention policy. Personal Data will be retained and  disposed of in a secure manner in accordance with the Company’s Record Retention Policy. 

16.2 Retention of Personal Data: Personal Data shall be retained only for the amount of time  necessary for the Permitted Uses and shall be kept up to date. Inactive information should not  be kept for longer than required by applicable law or business necessity and should be kept in  accordance with the Company’s Record Retention Policy. 

16.3 Updates to Personal Data: It is up to each Database Owner to regularly update Personal  Data and Opt-In and Opt-Out preferences.

18 Enforcement 

Any Company Personnel found to have violated this Policy may be subject to disciplinary action,  up to and including termination of employment or contract, with or without prior notice or warning. 

To the extent any portion of this Policy is inconsistent with any federal, provincial, state, or local  law or regulation, such portion shall be modified to the extent necessary to comply with such  federal, provincial, state, or local law or regulation, and the remaining portions of the Policy shall  remain unaffected. 

19 Revision History