MH Sub I, LLC and its subsidiaries and corporate affiliates (collectively, "Company," "our," "us," or "we") operate websites, provide products and services through mobile and other applications, and develop software. We refer to these as "site(s)," "service(s)," or "our sites and services."
Data Controller and Contracting Parties
For the purposes of the General Data Protection Regulation 2016/679 (the “GDPR”), the data controller is your healthcare provider (“Controller”).
The data processor is MH Sub I, LLC registered in the State of Delaware, United States of America with a registered address at 909 N. Pacific Coast Highway, 11th Floor, El Segundo CA 90245.
You can contact processor’s Data Protection Officer by sending an email to [email protected] or by writing to:
MH Sub I, LLC
Attn: Legal Department
909 N. Pacific Coast Highway, 11th Floor
El Segundo, California 90245 U.S.A.
1. Personal Information that You Provide to Us or to Controller
Personal information is information that can be used to identify, locate, or contact an individual, and includes other information that may be associated with personal information. When you interact with our sites and services, depending on the site or service, we may collect the following personal information directly from you, on behalf of Controller:
- Account or Registration Information where needed to use our sites and services, and may include your name, address, email address, telephone number, birthday, user account name, and password;
- Contact Information, which generally includes your name, addresses, email addresses, and/or telephone numbers;
- Payment Information where needed to process payments and generally includes your credit or debit card number, expiration date, and card verification number;
- Transaction Information, which may include information about how you interact with and use our sites and services, email, other communications, and applications, and how you interact with merchants, business partners, and service providers;
- Geographic Location Information, but only if your device transmits location data and/or your IP address and you have activated a location-enabled site or service;
- Survey Data, which are collected on behalf of Controller and generally includes survey questions and responses;
- Medical Information, where needed for the functionality of certain services, such as to connect you with your healthcare provider, and may include your medical history, present symptoms, future conditions or treatments, insurance carrier and plan, and any other medical and health information you or your healthcare provider choose to provide to us;
- Appointment Information, where needed to schedule an appointment or consultation through our online appointment or consultation services and may include the requested appointment information, which may be linked with health or legal information that you have provided; and
- Your Submissions, which generally includes information you voluntarily provide through free form text boxes, forums, document upload, or data retrieval or import.
In each of the above instances, you will know what personal information we collect through our sites and services because you voluntarily and directly provide it to us. Additionally, as a data processor, we may receive your personal information from Controller. Please note that we have no control over, and are not responsible for, Controller’s privacy practices.
2. Other Information We Automatically Collect through Cookies and Other Technologies
We or our third-party service providers may collect and store certain technical information when you use our sites and services. For example, our servers receive and automatically collect information about your computer and browser, including, for instance, your IP address, browser type, device size, and other software or hardware information. If you access our sites and services from a mobile or other device, we may collect a unique device identifier assigned to that device (UDID), type of device, general GPS location, or other transactional information for that device.
3. Our Legal Bases for Processing
We will only collect and process personal information where we have a legal basis for such collection and processing. We rely on a number of legal bases, including:
- our legitimate interests in providing and improving our sites and services;
- our legitimate interests in keeping our sites and services safe and secure;
- your consent to the processing of your personal information, which you can revoke at any time;
- where the processing of personal information is necessary for the performance of a contract to which you are a party to;
- where the processing of your personal information is required to protect your vital interests or those of another person, such as other users of our sites and services; and
- where the processing of personal information is necessary to comply with a legal obligation such as a law, regulation, search warrant, subpoena, or court order.
4. How We Use Personal Information
4.1 Personal Information that You Provide to Us
As a data processor, we will only process your personal information, through our sites and services, in accordance with our agreement with Controller and as required by applicable law. We may use the personal information that you provide through our sites and services in one or more of the following ways:
- to carry out our obligations arising from your purchase of, or subscription to, our services through the contract entered into between you and Controller;
- to enable Controller to send you important notices, such as communications about changes to your account, and our sites' and services' terms, conditions, or policies;
- to process payments and to send you emails, invoices, receipts, notices of delinquency, alerting you if we need different or updated payment card information or other communications in connection with processing and collecting payments;
- to improve our sites and services and customize your user experience;
- to enable Controller to contact you via email, telephone, text or chat in a manner required by law;
- to meet our contractual obligations;
- to enable Controller to send you reminders, technical notices, updates, security alerts, support and administrative messages, and service bulletins;
- to enable Controller to inform you about new products or promotional offers, or other opportunities which we feel will be of interest to you, and to provide advertisements to you through our sites, email messages, text messages, applications, or other methods of communication;
- to provide customer service and technical support;
- to administer surveys, sweepstakes, giveaways, contests, or similar promotions or events sponsored by us, Controller, or our partners;
- for internal purposes such as auditing, data analysis, and research to improve our products, services, and communications;
- to help you contact or schedule an appointment with a healthcare provider or a legal professional and to remind you of upcoming or follow-up appointments;
- to perform services in conjunction with interactive tools, such as integrating practice management systems, making a referral, sending a prescription to a pharmacy, or sending a test to a clinical laboratory; and
- to run (or authorize third parties to run) statistical research on individual or aggregate trends.
In addition to the uses described above, we may use personal information that we collect for other purposes that are disclosed to you at the time we collect the information, or with your consent.
4.2 Other Information We Automatically Collect Through Cookies and Other Technologies
We may use information collected from you through cookies and other tracking technologies in one or more of the following ways:
- to remember you when you return to our sites and services;
- to provide you with access to features of our sites and services;
- to understand and analyze trends, to monitor usage, and learn about user behavior; and
- to conduct market research and measurement in order to improve our sites and services and to make our sites and services more useful for users
5. Sharing Personal and Non-Personal Information
We may share your personal information with Controller and other third parties in the following circumstances:
- when we engage third parties to perform services on our behalf, such services include maintenance, hosting, data storage, security, analytics and data analysis, payment processing, marketing, email and text message distribution, customer service, and surveys and sweepstakes;
- when you communicate with us by email, submit an online form through our sites and services, request information, purchase a product or service, or otherwise submit a request through our sites and services, the personal information you provide may be shared with Controller or other third parties to process or respond to your request, provide you with the products or services you requested, or complete a transaction;
- when you schedule an appointment with a healthcare provider we may share your contact data, insurance data, and medical data with such healthcare provider;
- where necessary to operate our sites and services, your personal information and the contents of all of your online communications on or through our sites and services may be accessed and monitored:
- to satisfy any applicable laws or regulations,
- to defend ourselves in litigation or a regulatory action,
- when we have a good faith belief that we are required to disclose the information in response to legal process (for example, a subpoena, court order, or search warrant),
- where we believe our sites and services are being used in the commission of a crime, including to report such criminal activity or to exchange information with other companies and organizations for the purposes of fraud protection and risk management, and
- when we have a good faith belief that there is an emergency that poses a threat to the health and/or safety of you, another person, or the public generally; and
- in the event of a merger, acquisition, debt financing, restructure, sale of Company's assets by or with another company, or a similar corporate transaction, we may need to disclose and transfer all information about you, including personal information, to the successor company.
We may share personal information about you for any other purpose(s) disclosed to you at the time we collect your information or with your consent.
6. Accessing and Updating Personal Information
As a data processor, we collect, process, and retain your personal information on behalf of, and under the instructions of, Controller. If you would like to access, view, correct, or delete your personal information, please contact Controller directly.
Any request we receive to access and update personal information will be passed to Controller. However, please note that we will assist Controller in responding to your request in accordance with our agreement with Controller and as required by applicable law or regulation.
7. Storing Personal Information
8. Email and Other Communications; Opting Out
Our sites and services may allow Controller to communicate with you through our in-product instant messaging services, service-branded emails, SMS, and other electronic communication channels.
8.1 Text Messaging
If your healthcare provider has signed up for our text messaging services, you may automatically receive appointment reminder messages and other health care messages, as defined by the Health Insurance Portability and Accountability Act, the Health Information Technology for Economic and Clinical Health Act (collectively referred to herein as HIPAA), which, under limited circumstance, are exempt from the Telephone Consumer Protection Act and sent at the request of your healthcare provider. Your healthcare provider has represented and warranted to us that they have provided us your correct and current mobile phone number and that they have received your consent to the use of an automatic dialing system to deliver appointment reminder messages and other informational health-related messages to the phone number you provided. When you respond to a text message and start a conversation with us, you agree we may continue to text you. If you have questions about the health care messages sent on behalf of your healthcare provider, you can read more here, contact your healthcare provider directly, or reply “HELP” within the text message for additional information.
8.2 Opting Out of Requested Communications
Requested communications include, for instance, email newsletters and software updates that may be expressly requested by you or which you consented to receive. After you request such communications, you may "opt-out" of receiving them by using one of the following methods:
- selecting the email "opt-out" or "unsubscribe" link, or following the opt-out instructions included in each email communication; or
- contacting Controller.
8.3 Opting Out of Transactional or Relationship Communications
Communications that are sent by or on behalf of Controller are indicated as being from that Controller. Communications that are sent by us are indicated as being from us or one of our account or support specialists. Email communications received from Controller and our administrative announcements are often transactional or relationship messages, such as appointment requests, reminders, and cancellations. You may not be able to opt-out of receiving certain email messages, although our sites and services may provide a means to modify the frequency of receiving them.
8.4 Opting Out of General or Promotional Communications
General communications provide information about products, services, and/or support and may include special offers, new product information, or invitations to participate in market research. You may opt-out of receiving these general communications by using one of the following methods:
- selecting the email "opt-out" or "unsubscribe" link, or following the opt-out instructions included in each email communication; or
- contacting Controller.
9. Protecting Personal and Protected Health Information
We use reasonable and appropriate administrative, physical, technical, and data security procedures and controls to safeguard your personal and Protected Health Information (“PHI”), as such term is defined by HIPAA, against unauthorized access, disclosure, loss, misuse, and alteration. Under applicable law, we are required to apply reasonable and appropriate measures to safeguard the confidentiality, integrity and availability of PHI residing on and processed by our sites and services.
We use third-party service providers to manage credit card and payment processing. These service providers are not permitted to store, retain, or use billing Information except for the sole purpose of credit card and payment processing on our behalf. When you enter payment information to be processed by our third party service providers, we encrypt the transmission of that information using transport layer security (TLS) technology and do not store it on our systems.
It is important to remember, however, that no system can guarantee 100% security at all times and we cannot guarantee the security of information stored on or transmitted to or from our services. We cannot assume responsibility or liability for unauthorized access to our servers and systems. When disclosing any personal or PHI, you should remain mindful of the fact that it is potentially accessible to the public and, consequently, can be collected and used by others without your consent. Accordingly, you should carefully consider if you want to submit sensitive information that you would not want disclosed to the public and should recognize that your use of the Internet and our sites and services is solely at your risk. You are ultimately responsible for maintaining the secrecy for all your personal information, including your PHI. Except as provided in a contract between us and Controller, we have no responsibility or liability to anyone for the security of your personal or PHI transmitted via the Internet.
10. Linked Websites and Services
Our sites and services may collect, disclose, use, and store PHI that you submit to your healthcare provider or that your healthcare provider submits to us. Our collection, disclosure, use, and storage of PHI, is governed by HIPAA.
11.1 Use and Disclosure of Your Protected Health Information
When you use certain services (for example, appointment request) the PHI that you submit is used and disclosed by us as a Business Associate, as defined by HIPAA, according to the terms of the Business Associate Agreement between us and your healthcare provider. Accordingly, we may only use and disclose your PHI on behalf of, or to provide services to, your healthcare provider according to the terms of the Business Associate Agreement. There are exceptions to this use and disclosure restriction. Under such exceptions, we may use and disclose your PHI (i) for our internal management and administration; (ii) to carry out our legal obligations; and (iii) to perform data aggregation services for your healthcare provider and other healthcare providers; provided that, any disclosures for our internal management and administration or to carry out our legal obligations are either required by law or made after we obtain reasonable assurances from the party to whom the PHI is disclosed that such PHI will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed to such party.
11.2 How to Access, Change, or Remove Your PHI
Subject to certain exceptions, HIPAA establishes rights with respect to your PHI. These rights generally include the right to restrict the uses and disclosures of your PHI, the right to access and receive a copy of your PHI, the right to amend your PHI, and the right to receive an accounting of the disclosures of your PHI. If you wish to exercise any of these rights, please contact your healthcare provider.
Please note that you are not entitled to review the content of another user's account. Accordingly, if you have used our sites and services to share personal information with another user or third-party, you may not be entitled to access, update, or delete the information that you shared. Further, please note that other users may submit information that identifies you, and you may not be entitled to access, update, or delete that information. In either case, certain users, such as healthcare providers, may be required by HIPAA and other applicable laws or regulations to retain such information for extended periods of time.
Most of our Business Associate Agreements require us and our subcontractors to either return or destroy PHI received or created pursuant to the business associate relationship upon the termination of the Business Associate Agreement. Accordingly, if the Business Associate Agreement between us and your healthcare provider has terminated, then any PHI that you submitted to our sites and services, or otherwise maintained by us or a subcontractor in connection with our sites and services, will be returned to the healthcare provider or destroyed by us or such subcontractor.
12. Children's and Minor's Privacy
Children under the age of 13 are not permitted to use our sites and services. We do not knowingly collect personal information from children under the age of 13 or utilize plug-ins or ad networks that collect personal information through child-directed third-party websites or online services. If we learn that we have collected personal information from a child under 13, we will take steps to promptly delete such information.
Our sites and services generally require users to be at least 18 years of age. Without limiting the generality of the foregoing, our services may allow users above the age of 18 (such as healthcare providers, parents, and guardians) to submit personal
13. International Users
We are headquartered in the United States. Our sites and services are hosted and administrated in the United States or hosted with cloud service providers who are headquartered in the United States and are intended for users in the United States. If you are located outside the United States, be aware that information you provide to us or that we obtain as a result of your use of our sites and services may be processed in, transferred to, and stored in the United States and will be subject to United States law. The privacy and data protection laws of the United States may be different from the laws of your country of residence.
By using our sites and services or providing us with your information, you consent to the transfer of your information to the United States for processing and storage.
14. California Privacy Rights
FOR RESIDENTS OF CALIFORNIA ONLY. Section 1798.83 of the California Civil Code requires select businesses to disclose policies relating to the sharing of certain categories of your personal information with third parties. If you reside in California and you have provided us with your personal information, you may request information about our disclosures of certain categories of your personal information to third parties for direct marketing purposes. To make such a request, please contact Controller. Any request we receive will be passed to Controller. However, we will assist Controller in responding to your request in accordance with our agreement with Controller and as required by applicable law or regulation.
FOR RESIDENTS OF CALIFORNIA UNDER THE AGE OF 18. In accordance with Section 22581 of the California Business and Professions Code, you may request and obtain the removal of content or information you have publicly posted. To make such a request, please contact Controller. Any request we receive will be passed to Controller. However, we will assist Controller in responding to your request in accordance with our agreement with Controller and as required by applicable law or regulation.
15. EU Privacy Rights
FOR RESIDENTS OF THE EUROPEAN UNION ONLY. Under European data protection law, in certain circumstances, you have the right to:
- request access to your personal information;
- request correction of your personal information;
- request erasure of your personal information;
- object to processing of your personal information;
- request restriction of processing your personal information;
- request transfer of your personal information; and
- withdraw your consent.
In addition, you have the right to request data controller not to process your personal information for marketing purposes.
16. Contacting Us
Last Updated: July 16, 2018