Effective: August 24, 2023
California Privacy Rights
These California Privacy Rights supplement the information contained in the Privacy Policy for MedRisk and applies to certain residents of the State of California. The terms used in this Privacy Notice have the same meaning as the terms defined in the California Consumer Privacy Act (“CCPA”).
A Note About MedRisk as a Service Provider
This California Privacy Rights Notice for California residents applies to information that we collect in our capacity as a “business” under the CCPA, i.e., when we collect information on our own behalf. If you interact with MedRisk based on your relationship to one of our clients (e.g., your employer or insurance carrier), you should review such client’s privacy policy and send any questions or communications relating thereto directly to such client (including, without limitation, if you wish to exercise any rights available to you under the CCPA). We assume no responsibility to you or any other third party with respect to any obligations of our clients under the CCPA. If you are not certain whether we are acting as a service provider in your particular circumstance, please contact us using the contact information provided in this Privacy Notice.
What Personal Information We Collect and Disclose
In accordance with the CCPA, personal information is information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information does not include information outside the scope of the CCPA such as:
- Health or medical information covered by the Health Insurance Portability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA);
- Personal Information covered by the Gramm-Leach-Bliley Act (GLBA), the Fair Credit Reporting Act (FCRA), the California Financial Information Privacy Act (FIPA), and the Driver’s Privacy Protection Act of 1994;
- Publicly available information or lawfully obtained, truthful information that is a matter of public concern;
- Publicly available information that is lawfully made available to the general public from federal, state, or local government records; and
- De-identified or aggregated consumer information.
The CCPA requires us to tell you what categories of personal information we sell, share or disclose. We do not sell and will not sell your personal information as that term is commonly understood. We also do not sell and will not sell your personal information, including the personal information of persons under 16 years of age, as that term is defined by the CCPA. When it is necessary for a business purpose, we may disclose your personal information to a customer, service provider or contractor, and we enter into a contract with the customer, service provider or contractor that limits how the information may be used and requires the customer or service provider to protect the confidentiality of the information.
We may also transfer to a third party the personal information of a person as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the MedRisk business.
Please see the chart below to learn what categories of personal information we may have collected about California consumers within the preceding twelve months, the sources of and business purposes for that collection and the third parties, as that term is defined in the CCPA, to whom the information has been disclosed, if any.
Our Retention of Personal Information
The length of time that we retain personal information largely depends upon the purpose for which the information was collected rather than the category of the information as set forth in this Notice. When establishing retention periods, we consider applicable statutes
of limitation and legal and regulatory requirements and guidelines. Personal information is generally retained for periods of time that permit the company to meet its legal and regulatory obligations.
Your Rights and Choices
The CCPA provides California residents with certain rights regarding their personal information. This chart describes those rights and certain limitations to those rights.
To Exercise Your Rights
To Opt-out of the Sale or Sharing of Your Personal Information
The CCPA gives consumers the right to direct a business that sells or shares personal information about the consumer to third parties not to sell or share the consumer’s personal information. We do not sell and will not sell your personal information as that term is commonly understood. We also do not sell and will not sell your personal information, as that term is defined by the CCPA. We do not share your personal information as that term is defined in the CCPA.
To Limit the Use of Sensitive Personal Information
The CCPA gives consumers the right to direct a business to limit the use of the consumer’s sensitive personal information to that use which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services and certain other limited uses as described in the CCPA and applicable regulations. We do not use or disclose sensitive personal information for purposes other than those purposes specified in Section 7027, subsection (m) of the California Consumer Privacy Act Regulations. If we begin using or disclosing your sensitive personal information outside of those purposes, then we will provide you with the option to limit our use or disclosure through a clear and conspicuous link on our internet homepage.
To Request Access to or Correction or Deletion of Your Personal Information
To exercise your access, correction or deletion rights described above, please submit a verifiable consumer request to us by either: Calling us at 877-404-3695 or emailing us at ccpa@medrisknet.com.
Only you or your representative that you authorize to act on your behalf (Authorized Agent) can make a verifiable consumer request for your personal information. You may also make a request for your minor child. The verifiable request must provide enough information that allows us to reasonably verify you are the person about whom we collected personal information. We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and to confirm the personal information relates to you.
We use several layers of authentication in order to verify your identity and safeguard access to your personal information. We will request that you respond to a text message from our representative. We will also request that you provide certain information such as your first and last name, your address and your birthdate and respond to other questions designed to authenticate your identity. If we are unable to verify your identity, we may require additional authentication or your request may be rejected.
We work to respond to a verifiable consumer request within 45 days of its receipt. If we require additional time, we will inform you of the extension period (up to an additional 45 days), and the reason for the extension in writing. We will deliver our response by mail or electronically, depending on your preference. The response we provide will also explain any reasons why we cannot comply with a request.
You may only make a consumer request for access twice within a twelve-month period. Any disclosures we provide will apply to the twelve-month period preceding the receipt of the consumer request.