HealthStream Privacy Statement
HealthStream values you and your privacy. This Privacy Statement explains how we collect and treat information via healthstream.com, marketplace.healthstream.com, cmecourses.healthstream.com, manager.nursegrid.com, shiftwizard.com, missioncare.com, and other websites and channels we own or operate (collectively, the “Site”), as well as HealthStream’s online services, mobile applications, and software-as-a-service offerings, and other products and services we offer (collectively, with the Site, our “Services”) to hospitals, universities, healthcare organizations, associations, and other customers (each a “Customer”) for use by the healthcare practitioners, students, or other individuals that the Customer permits to register as users (each a “User”) and the Customer’s administrator or other representative.
If you have questions about our privacy practices or would like to make a complaint, please contact us at webmaster@healthstream.com.
Privacy Statement Updates
Our Privacy Promise
HealthStream understands that your privacy is important, and we want you to have a clear understanding of how we collect and treat your information. We encourage you to read this Privacy Statement in full to understand in detail how we collect and use information.
Below is a summary of our practices, as detailed in this Privacy Statement:
- You can always control your data, either directly through your account or with help from the Customer granting you access to the Services.
- Privacy is the default status. You or the Customer granting you access determine whether and how your information will be viewable or accessible by others. If we need to disclose your information to provide our services, we explain that in this Privacy Statement or within the Services.
- Access to your information is strictly limited to you, the Customer granting you access to the Services, us, and others who must have it for the Services to function properly or for other purposes described below.
- If we offer any social or sharing features, we will make sure you always know when you are doing something that other users can see.
- Any reporting we do on trends or content consumption is in the aggregate and will not identify you individually.
- Registered Users should submit privacy inquiries to their Customer. Otherwise, you may contact HealthStream at privacy@healthstream.com or submit a Consumer Privacy Request if you have questions about our Services.
BY USING OR ACCESSING OUR SERVICES IN ANY MANNER, YOU CONSENT TO THE PRACTICES DESCRIBED IN THIS PRIVACY STATEMENT. If you do not agree with this Privacy Statement, do not use the Services.
1. About HealthStream
In this Privacy Statement, HealthStream, Inc. and our affiliates, corporate parent(s), and subsidiaries are collectively called “HealthStream,” “we” or “us.” This Privacy Statement is part of andgoverned by our Terms of Use.
This Privacy Statement describes how HealthStream collects and treats information through all of our Services, except for Nursegrid and myClinicalExchange, each of which is governed by its own privacy statements, not this one.
Please note that the Site primarily serves the purpose of informing current and potential new customers about the various Services we offer on a business-to-business basis, though we may designate certain areas of the Site to serve as a platform from which HealthStream provides consumer access to specified products or services.
Any additional, separate privacy notices that we provide to you will also be considered part of this Privacy Statement. Please note that this Privacy Statement does not apply to information collected by a hospital, university, healthcare organization, association, or other third party, even if the third party is a Customer that uses HealthStream.
We may periodically update this PrivacyStatement. If we make any material changes, we will notify you through the Services or by updating this posting. Your continued use of the Services after the effective date will be subject to the new Privacy Statement. You are responsible for checking this Privacy Statement for changes.
2. Health Data & Education Privacy
Most HealthStream Services are not designed to collect or process information that is protected under health privacy laws or education privacy laws. In some cases, we contract with a Customer to provide our Services in compliance with HIPAA or FERPA or equivalent or complimentary laws. This means Users should never submit protected health information or any other health data or educational information to the Services unless instructed to by the User’s Customer.
If HealthStream collects or processes protected health information, we do so as a “business associate” to the Customer as the “covered entity” under HIPAA.
If a Customer is an educational institution and instructs us to collect a User’s FERPA-protected educational information, HealthStream is considered a “school official” to the Customer under FERPA and equivalent laws.
In all cases, the Customer instructs our activities with this data and the Customer (not HealthStream) is responsible for all decisions for its use, disclosure, and security. The Customer is solely responsible for ensuring that its and its Users’ use of the Services comply with applicable health and education privacy laws. If you have questions, please contact the Customer through which you use the Services.
3. Personal Information Defined
When we say, “Personal Information,” we mean information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual consumer or household. For our purposes, Personal Information typically falls within one or more of these categories:
- Identifiers (e.g., name, email address, address, telephone number, username);
- Sensitive Personal Information (e.g., racial or ethnic origin; biometrics; union membership; state ID; precise geolocation; contents of messages when we are not the recipient; as well as health data, protected health information, and similar data protected by health privacy laws; and other health information generally);
- Protected classification information (e.g., race, citizenship, marital status, medical condition, sex, sexual orientation, veteran or military status);
- Biometric information (e.g., image, keystrokes, behavioral or biological characteristics);
- Internet or other similar activity (e.g., general location, content interactions, browsing history);
- Employment-related information (e.g., current or past employment);
- Non-public educational information, including information protected under the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99);
- Commercial information (e.g., products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies); and
- Inferences drawn from Personal Information to create a profile about preferences, characteristics, trends, predispositions, behavior, attitudes, intelligence, and aptitudes.
Note that some information about you may not be protected by privacy laws, for example, information that is: (a) publicly available; (b) aggregated, meaning data about a group or category of services or users from which individual identities and other Personal Information has been removed; or (c) deidentified so that it cannot be easily linked back to the individual.
4. Our Privacy Practices
a. About Personal Information Collection
How we collect and use your Personal Information depends on which of our Services you use and how you use them. In any case, we only collect, use, retain, and disclose Personal Information as reasonable and necessary and proportionate to provide you with the Services, or we might use it in other compatible ways that we would tell you about first.
During the last 12 months, we have collected (i) identifiers; (ii) employment-related information; (iii) non-public educational information; (iv) biometrics; (v) protected information; (vi) sensitive Personal Information; (vii) commercial information; (viii) internet activity; and (ix) inferences, as follows:
i. From the User, with consent.You must register for your hStreamID and create an account to use some of our Services. HealthStream collects and uses Personal Information as follows to facilitate your registration and use of these Services:
- To create your hStreamID and account, we collect identifiers like your name, email address, mailing address, and phone number, as well as your login credentials. We also collect your employment and educational information like your title, credentials, specialty, and your education and work status and history.
- If you include a photograph to your account profile, we will collect the biometrics contained in the photograph you upload.
- Our Store Services allow you to purchase and access Content through our Site as a consumer. To use the Store Services, you will be prompted to connect your existing hStreamID or create a new hStreamID. The hStreamID will give you access to your purchased Content. The Store Services will collect commercial history from your Content purchases and internet activity from your interactions with the Store Services. See the Content Marketplace Terms of Use for details.
ii. As a service provider to the Customer. A Customer may instruct us to collect additional Personal Information from Users via the Services. We collect this information as a service provider to the Customer, and the User submits the information with consent.
- Employment and educational information like User educational credits, licenses, health facility privileges, or medical board profile.
- For certain Services, sensitive Personal Information or protected information like health information, healthcare license identification number, tax ID or other government ID, military status, citizenship, birth country, ethnicity, or visa information. In some cases, your Customer may instruct us to collect protected health information subject to health privacy laws.
- Biometrics like User health data, if instructed by the Customer.
We use this information to provide the Services, identify and administer the User’s account, and communicate with Users. If you use our Services via a Customer, the Customer is responsible for obtaining your consent and the Customer’s administrator or other representative may be able to access, maintain, and share any Personal Information associated with your User account. A User can refuse to supply requested Personal Information, but doing so may impede the User’s ability to use the Services or participate in the Customer’s program.
iii. From the Customer. A Customer might create your User account or submit information about you to the Services, such as:
- Employment or non-public educational information.
- Sensitive Personal Information like health information (e.g., immunizations, health records, or drug screening results), background investigations, and credit reports.
HealthStream collects this Personal Information as part of our contract as a service provider to the Customer. Note that we do not control or verify the information a Customer submits to us. If you have any questions about information on your account not input by you directly, please contact your Customer.
iv. Your chat conversations with HealthStream. Ifyou participate in a live chat with us on the Site or any other Services, we collect and record any information, including Personal Information, that you choose to include in your chats with us, such as:
- Identifiers like your name, username, or email address.
- Any other Personal Information you choose to include in your communication.
Please note that the chat feature is made possible through our relationship with a third-party service provider, and your chats may be accessible simultaneously and in real-time by that third-party service provider. By initiating or continuing a live chat on the Site, you consent to our third-party service provider accessing your chats. If you do not consent to such access to your chats, you should not initiate or participate in a chat on our Site or through any of our Services.
v. Your communications with HealthStream. If you contact HealthStream using the forms or links on the Site or by email or other means, you voluntarily provide us with your:
- Identifiers like your name, email address, telephone number, and any other Personal Information you choose to include in your communication.
- Employment information like your title and organization type (e.g., hospital, home health facility, etc.).
- If you make a purchase on the Site, we will collect the commercial history of your purchase(s) and use a PCI-compliant payment processor or bank to process any payments related to your purchase.
We use this information to respond to your inquiries and to communicate with you about HealthStream according to your communication preferences.
vi. Automatically from your use of the Site, with legitimate interest. When you interact with the Site, we automatically collect technical data about your internet activity such as your IP address, the content with which you interact and, for some Services, your geolocation. Additionally, certain third parties place cookies and related technologies on the Site which will collect data, including Personal Information, from your activities on the Site. Cookies are described in detail in our Cookie Declaration.
The Site provides you with a cookie notice banner and an opportunity to accept or reject non-essential cookies on the Site. If you do not reject non-essential cookies or otherwise opt-out of analytics or marketing cookies, certain third parties will have access to data collected from these cookies and may independently process that data to analyze your use of our Services or for marketing purposes. By permitting these cookies, you consent to this processing of your data by third parties.
We collect this data to achieve our legitimate interest of managing and improving our Services. We use this information to administer the Site, provide and improve the Services, analyze usage, protect the Services and its content from inappropriate use, and improve the nature and marketing of the Services.
In addition to the specific uses above, we might also use your Personal Information to (i) provide the Services and personalize your experience; (ii) send you support and administrative messages; (iii) monitor your compliance with any of your agreements with us; (iv) protect your privacy and enforce this Privacy Statement; (v) identify, contact, or bring legal action against persons or entities who may be causing injury to you, to HealthStream, or to others if we believe it is necessary; (vi) comply with a law, regulation, legal process or court order; or(vii) fulfill any other purpose to which you consent. HealthStream will update this Privacy Statement or otherwise notify you and obtain your consent where required under applicable law before we collect additional categories of Personal Information or use your Personal Information for purposes that are incompatible with the purpose stated at the time of collection.
b. About Retention Periods
HealthStream retains Personal Information for the minimum period necessary to fulfil the purpose for which it was collected. Sometimes our retention periods are determined by the regulations or policies that apply to the Customers or Users of a given Service. This means HealthStream may be required to retain Personal Information for a specified period or indefinitely, unless or until a User requests that we delete some or all of their Personal Information. HealthStream’s data retention practices are designed to ensure that our Services to serve as a secure repository of information in healthcare settings, comply with regulatory requirements, and support a policy of good data hygiene.
c. About Disclosure to Third Parties
We only disclose your Personal Information in limited circumstances and for specific purposes. If any Service allows for social connectivity or sharing, we will notify you of the privacy implications of using the feature before you proceed. In the last 12 months, HealthStream has disclosed all categories of Personal Information that we collected for a business purpose tot hese recipients:
i. The Customer. If you use the Services for your job or role in an educational or healthcare program with a Customer, HealthStream is a service provider to that Customer. We may disclose any Personal Information associated with your account to the Customer so that you and the Customer can manage your role within the organization or so the Customer can provide you with other services.
ii. Our Service Customers. We use a variety of service providers such as data hosting companies, analytics services, email hosting services, and payment processors. We prohibit our service providers from selling or disclosing the Personal Information we provide, and we require all service providers to maintain confidentiality standards that are commercially reasonable to ensure the security of your Personal Information. The type of information that we provide to a Service Customer will depend on the service that they provide to us.
iii. Our Chat Provider. To enable the chat feature available through the Site and other Services, we may transfer certain data to our third-party chat service provider simultaneously and in real-time. Our chat service provider will only use your chat data to facilitate your chat and provide you with support, to provide us with the live chat feature, or for internal operations purposes. BY PARTICIPATING IN A LIVE CHAT, YOU CONSENT TO THE DISCLOSURE OF YOUR CHATS, AND THE DATA YOU INCLUDE IN THOSE CHATS, TO OUR THIRD-PARTY SERVICE PROVIDERS, AND YOU WAIVE ANY POTENTIAL EAVESDROPPING OR WIRETAPPING CLAIMS.
iv. Our Affiliates. As a part of the HealthStream family of services, we may disclose the Personal Information we collect about you to our affiliates or subsidiaries. If we do disclose your Personal Information to our affiliates or subsidiaries, their use and disclosure of your Personal Information will be subject to this Privacy Statement. Additionally, we may disclose Personal Information to our Partners, which the Partner must keep confidential and only use for its contractual obligations to us.
v. Advertisers. Our Partners or other advertisers may place ads on the Services. If you click on an ad, you will be redirected to the advertiser’s website or platform. Any information you provide to the advertiser will be processed according to the advertiser’s privacy practices, not ours. We may collect data about the ads you click from the Services to measure the popularity and effectiveness of ads on the Services. We also place cookies and pixels on the application to track and report on content interactions and to serve you with tailored advertisements when you visit social media and other platforms. This processing allows us and our advertisers to better understand how users interact with the platform and its features and to inform advertisers of the offers that most interest our users. You can opt out of these disclosures by not interacting with ads on the Services. Please note that if you directly interact with an advertiser, the advertiser will process your Personal Information according to its privacy practices.
vi. Law enforcement or other government agencies as permitted or required by law.
vii. Cookie information recipients subject to their respective privacy statements.
viii. Other Third Parties, as permitted by applicable law. For example: if we go through a business transition (e.g., merger, acquisition, or sale of a portion of our assets); to comply with a legal requirement or a court order; when we believe it is appropriate in order to take action regarding illegal activities or prevent fraud or harm to any person; to exercise or defend our legal claims; or for any other reason with your consent.
d. About Our Partners
From time to time, HealthStream partners with other companies that want to offer discounts, promotions, or other offers exclusively to our Users (“Partners”). These offers are posted on the Services as advertisements and users receive thep romotion when they click through and purchase the product or service from the Partner. Any Personal Information you submit to the Partner when you make a purchase or sign up for services is subject to the Partner’s privacy practices, not ours. You consent to this processing by clicking the ad and interacting with the Partner. If you don’t want a Partner to have this Personal Information about you, do not click on the ad or engage the Partner for products or services. We may earn a commission from your purchase with a Partner.
Please note that HealthStream and the Partner may exchange user data to facilitate your use of our Services along with the products or services offered by the Partner. The Partner is strictly required to keep all disclosed data confidential and to only use the data to fulfill the contract with us. For example, we may provide user data (e.g., username, employer, hire date) to the Partner or the Partner may report to us whether a user participated in a promotion. We may use the data received from the Partner for any purpose as permitted by this Privacy Notice and applicable law.
You can prevent the disclosure of your information in this manner to the extent that this exchange of data qualifies as “sharing” Personal Information under privacy laws by adjusting your account settings to opt-out of sharing. Please note that opting out may make it impossible for the Partner to provide you with the promotion. For clarity, neither HealthStream nor the Partner will never sell your Personal Information to one another or to any third party.
e. About Aggregated & Deidentified Information
HealthStream may use fully anonymized, deidentified or aggregated data generated using Personal Information to assist with our research, marketing, advertising, or other purposes. This information is not your Personal Information, so we may do this for our purposes and without restriction. If we ever have a data collection mechanism specifically intended for a Customer’s use, we will notify you that the data is being collected for that specific purpose and help you understand the privacy implications before you use it.
5. Children’s Privacy
Our Services are designed for individuals aged 16 and older. We do not knowingly collect Personal Information from children under 16 without verification of parent or guardian consent. If you believe we might have any information collected online from a child under 16, or if you become aware of any unauthorized submission of information to us, please contact us at privacy@healthstream.com and we will delete that information from our systems.
HealthStream cannot control the privacy practices of Customers. If a Customer chooses to input children’s Personal Information on the Services, it is done under their own privacy practices, not ours. We are not responsible for any Customer’s or other party’s compliance or noncompliance with laws or regulations. Please contact the Customer directly if you have questions about their privacy practices.
6. Offered in the U.S. andCanada
HealthStream is owned and operated in the United States only and, as such, the Services are designed to serve Users and Customers in the United States and Canada. We do not market the Services to Customers or residents in the European Union or any other jurisdiction outside of the United States and Canada. However, if a Customer incidentally permits an EU resident to register as a User, the Customer does so under its own (not HealthStream’s) privacy practices and the Customer is solely responsible for compliance with the privacy laws applicable to such use.
If you are a registered User who is a non-US resident or if you visit the Site from outside of the United States, you acknowledge that Personal Information we collect about you will be transferred to our servers in the United States and maintained there in accordance with our retention policy. This may require the transfer of your Personal Information out of your country of origin with laws governing data collection and use that may differ from or be more restrictive than U.S. law, or may result in governments, courts, law enforcement, or regulatory agencies having access to or obtaining disclosure of your Personal Information pursuant to the laws of the applicable foreign jurisdiction. By allowing us to collect Personal Information about you, you consent to this Privacy Statement and the transfer and processing of your Personal Information as described in this paragraph, and you waive any and all remedies that you may have based on the laws of your jurisdiction.
7. Your Choices & Controls
HealthStream provides you with methods to directly control your Personal Information on the Services.
a. Your Account Profile and Device Settings
Users can sign into their accounts at any time to change or delete certain Personal Information. As an information repository for Customers, some of the Personal Information on your account cannot be deleted. Please contact your Customer if you wish to make changes to your account but are not able to do so yourself. You can also control the data we collect by adjusting your device settings.
b. HealthStream Emails
If you provide us with your email address, we may send you informational or support emails or, if you opt-in, marketing emails about the Services. You can opt-out of marketing emails but not our support or transactions emails. To opt-out, change your preferences via the links provided in the emails, email privacy@healthstream.com or submit a Consumer Privacy Request.
c. Texting Consent
If you provide us with your wireless number, you consent to HealthStream sending you text messages for informational or authentication purposes. The number of texts that we send to you will be based on your circumstances and requests. You can unsubscribe from text messages by replying STOP or UNSUBSCRIBE to any of these text messages. Messaging and data charges may apply to any text message you receive or send. Please contact your wireless carrier if you have questions about messaging or data charges.
d. Do Not Track Requests
Do Not Track signals are signals sent through a browser informing us that you do not want to be tracked. Currently, our systems do not recognize browser “do-not-track” requests. If this changes in the future, we will update this Privacy Statement.
e. Consumer Privacy Requests
If you are a User and you wish to exercise your rights beyond the methods provided, express concerns, lodge a complaint, or obtain additional information about the use of your Personal Information, please contact your Customer. Users MUST direct privacy inquiries to their Customer. Otherwise, you may send us a Consumer Privacy Request or email us at privacy@HealthStream.com. We will relay your request to your Customeror fulfill it directly if we can. HealthStream does not charge a fee to processor respond to a verifiable request unless we have legal grounds to do so. In that case, we will tell you the cost estimate and why we are charging the fee before completing your request. We may be unable to fulfill some or all of your request, for example, if your request falls within a statutory exception or if fulfilling your request would prevent us from complying with a statutory or contractual obligation.
8. Notice of Privacy Rights
Depending on where you live or are located, you may have certain rights over your Personal Information.
- If you visit our Site or inquire about our Services on behalf of a Customer, HealthStream collects and processes your Personal Information as a business or data controller.
- For all other purposes, HealthStream acts as a service provider or data processor to our Customers.
The following sections outline legally required and courtesy notices of privacy rights that may be available to you depending on where you live and how you interact with HealthStream.
a. Privacy Rights Available in the United States
In the United States, consumer privacy is governed by state laws providing general consumer privacy rights, as well as federal laws addressing specific industries or data uses. This section provides notices of consumer privacy rights available to residents of U.S. states that require companies to inform consumers about their privacy rights and provide a method to exercise those rights (“Consumers”). If you reside in a state offering privacy protections, you may be entitled to some or all of these rights:
- Right to Correct. You have the right to request that we correct inaccurate Personal Information about you on our systems. If you become aware that the Personal Information that we hold about you is incorrect, or if your situation changes (e.g., you change address), please inform us and we will update our records. You can correct your Personal Information through your account or by contacting your Customer.
- Right to Delete. You have the right to request that we delete your Personal Information that we collected from you and retained, with certain exceptions. In response to your request, we may permanently delete, deidentify, or aggregate the Personal Information in response to a request for deletion. If you submit a right to deletion request, we will confirm the Personal Information to be deleted prior to its deletion, and we will notify you when your request is complete. Note that, as an information repository for Customers, HealthStream is not permitted to delete some types of Personal Information.
- Right to Access. You may have the right to receive confirmation that we have collected Personal Information about you and copies of the requested pieces of Personal Information in a portable and readily usable format. HealthStream may be legally prohibited from disclosing certain pieces of Personal Information, and we may be limited in the number or frequency of requests we must fulfill.
- Limited Use and Disclosure of Sensitive Personal Information. HealthStream does not seek to collect your sensitive Personal Information, though your Customer may use the Services to collect this information about you or you may choose to input some sensitive Personal Information to the Services. In no case will we use or disclose your sensitive Personal Information for the purpose of inferring characteristics about you. If this ever changes in the future, we will update this Privacy Statement and provide you with methods to limit use and disclosure of Sensitive Personal Information.
- No Selling or Sharing Personal Information. HealthStream does not, and will not, sell the Personal Information collected about you or share your Personal Information with third parties for cross-contextual behavioral advertising purposes. HealthStream may use data collected from cookies on the Site or applications for marketing or retargeting, which may qualify as “sharing” Personal Information under some privacy laws. To opt-out of this sharing, adjust your settings on our Cookie Declaration or cookie banner to opt-out of Marketing Cookies.
Customers may choose to use certain integrated third-partyservices that require disclosure of user Personal Information to function.These disclosures only occur with permission from the Customer through whichyou use our Services. As such, these disclosures are not a sale or sharing ofuser Personal Information under applicable privacy laws. Please direct anyquestions to the Customer.
- No Profiling. HealthStream does not use any form of automated processing of Personal Information to evaluate, analyze, or predict your performance, preferences, choices, or behavior. If this changes in the future, we will update this posting to describe our use of profiling and your options to opt-out.
- Health Data Rights. The Services are designed to support Customers and healthcare professionals. Users should never submit health data to the Services unless instructed to by the applicable Customer. Some state laws entitle consumers to certain details about health data collected about them, including (a) confirmation of whether the entity collects, shares, or sells the consumer’s health data and access that data, including a list of all third parties and affiliates with whom the entity has shared or sold the health data and a method to contact those third parties, (b) a method to withdraw consent related to use of health data, and (c) the right to have their health data be deleted. THE CUSTOMER, AND NOT HEALTHSTREAM, IS RESPONSIBLE FOR FULFILLING CONSUMER REQUESTS TO EXERCISE THEIR RIGHTS RELATED TO HEALTH DATA.
- Right to Disclosure. You may have the right to receive details about the collection and use of your Personal Information via the Services, such as: (i) the categories of Personal Information we have collected about you; (ii) the categories of sources for the Personal Information we have collected about you; (iii) our business purpose for collecting, using, processing, sharing or selling that Personal Information, as applicable; (iv) the categories of third parties with whom we share that Personal Information; and (v) if we sold or shared your Personal Information under the California Consumer Privacy Act, two separate lists stating: (a) sales or sharing, identifying the Personal Information categories that each category of recipient purchased; and (b) disclosures for a business purpose, identifying the Personal Information categories that each category of recipient obtained. To learn more, please contact your Customer. Certain laws may limit the number or frequency of requests we must fulfill.
- Right to Nondiscrimination. HealthStream will not discriminate against you for exercising your privacy rights. For example, unless permitted by law we will not: (i) deny you goods or services; (ii) charge you different prices or rates for goods or services; (iii) provide you a different level or quality of goods or services; (iv) retaliate against you as an employee, applicant for employment, or independent contractor for exercising your privacy rights; or (v) suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services, because you exercised a right under applicable privacy laws.
- Right to Disclosure of Marketing Information. California’s Shine the Light Act (Civil Code sections 1798.83-1798.84) entitles California residents to request certain disclosures regarding Personal Information sharing with affiliates and/or third parties for marketing purposes.
If you are a User, please contact your Customer to exercise these rights or inquire further. Otherwise, you may send us a Consumer Privacy Request or email us at privacy@HealthStream.com.
b. Canadian Privacy Rights
This section provides information to residents of Canada (“Canadian Consumers”) in compliance with Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”).Canadian Consumers to whom PIPEDA applies have a:
- Right to know why HealthStream collects, uses, and distributes Personal Information. The required notices are set in this Privacy Statement. We may provide additional notices about other ways we process your Personal Information via the Services. Your Customer is responsible for providing you with all additional details about your Personal Information processing.
- Right to expect us to collect, use, or disclose Personal Information responsibly and not for any other purpose other than which you have consented. We use this Privacy Statement to explain our privacy practices, and the Services are designed to collect express or implied consent at key points, but the User’s Customer is ultimately responsible for setting expectations and collecting necessary consents for the User’s privacy on the Services. Users may withdraw consent by contacting their Customer. In all other cases, you may withdraw your consent at any time with reasonable notice by submitting a Consumer Privacy Request or contacting us at privacy@healthstream.com.
- Right to accuracy of your Personal Information. We take steps to reasonably ensure that your Personal Information we are using is accurate. In most cases, we rely on you and your Customer to ensure that your information is current, complete, and accurate. We offer methods for you or your Customer to correct, update, and delete inaccurate Personal Information in your account, and we will provide you with reasonable assistance to ensure that your Personal Information is accurate in our systems and with our service providers.
- Right to access your Personal Information. Upon written request and identity authentication, we will provide you with your Personal Information under our control, information about the ways in which that information is being used and a description of the individuals and organizations to whom that information has been disclosed. We will make the information available within 30 days or provide written notice where additional time is required to fulfil the request. If limited by law or potential infringement on another’s privacy rights, we may not be able to provide access to some or all of the Personal Information you request. If we must refuse an access request, we will notify you in writing, document the reasons for refusal and outline further steps that are available to you.
If you are a User, please contact your Customer to exercise these rights or inquire further. Otherwise, you may send us a Consumer Privacy Request or email us at privacy@HealthStream.com.
c. EU and UK Privacy Rights
HealthStream does not offer or market the Services for use by anyone outside of the United States and Canada. If a Customer permits access to the Services by residents of the European Union, Switzerland, and the United Kingdom (“Data Subjects”), the Customer does so according to its own privacy practices. The Customer (not HealthStream) is responsible for compliance with any privacy laws that may apply to use of the Services by Data Subjects. Data Subjects must contact the Customer to inquire about privacy matters.
For courtesy purposes only, this section lists the privacy rights available to DataSubjects:
- Right to know how your Personal Information is processed. HealthStream provides details about our privacy practices in this Privacy Statement. We may provide additional notices in the Services, by email, or other communications from time to time. Please contact your Customer for further details.
- Right to access your Personal Information. Upon request from your Customer, we will provide a copy of your Personal Information and details about the types of Personal Information we process, why we process it, and any third parties we work with to collect Personal Information on our behalf. We may have one or more legally valid reasons to refuse a request in whole or in part, for example, to protect the rights of other individuals.
- Right to restrict processing of your Personal Information. You can request that your Customer require HealthStream to restrict the processing of your Personal Information if: (a) the data is inaccurate; (b) the processing is unlawful; (c) we no longer need the Personal Information; or (d) you exercise your right to object.
- Right to rectify your Personal Information. If you become aware that the Personal Information that we hold about you is incorrect, or if your information changes, you may update your Personal Information on your account or request that your Customer update it on the Services for you.
- Right to data portability. In some circumstances, your Customer may be required to facilitate HealthStream providing your Personal Information to another organization in a structured, commonly used and machine-readable format.
- Right to erasure (a.k.a. the “right to be forgotten”). Upon request by your Customer, HealthStream will delete your Personal Information in certain circumstances and where required by law. This right is not absolute, and HealthStream or your Customer maybe entitled to retain and process your Personal Information despite this request.
- Right to object to certain processing of your Personal Information. Upon your Customer’s request, we will limit our processing of your Personal Information as you request in certain circumstances and where we are required to do so by law.
- Right not to be subject to automated decision-making. HealthStream does not use automated decision-making to provide the Services. If this changes in the future, we will update this Privacy Statement to describe our use of automated decision-making and your options to exercise your privacy rights related to your Personal Information processed using automated decision-making.
- Right to lodge a complaint with a supervisory authority. Data Subjects can submit requests, questions, or complaints to their Customer. Data Subjects that feel a privacy issue has not been resolved may file a complaint with a supervisory authority applicable to their Customer, for example the Data Protection Commissioner of Ireland.
Data Subjects must contact their Customer to exercise these rights or inquire further.
9. Third Party Websites
If you click an advertisement or link on the Services, you will be redirected to a website or platform operated by a third party whose privacy practices may differ from ours. If you submit Personal Information to any third-party websites or platforms, your information is governed by the privacy policies of those third parties and HealthStream has no control over their privacy practices.
10. Data Security
HealthStream implements reasonable and appropriate technical, organizational, and physical security measures to help protect your Personal Information from unauthorized or illegal access, destruction, use, modification, or disclosure. We employ a series of security measures, including secure login, multifactor authentication, encryption in transit and at rest. We ensure that HealthStream personnel responsible for handling Personal Information and privacy matters are informed of applicable privacy law requirements. Our security measures a reappropriate to the volume, scope, and nature of the Personal Information processed and designed to meet our duty of care with respect to your Personal Information. Please note, however, that no transmission of data over the internet is 100% secure. We cannot guarantee that unauthorized third parties will not defeat our security measures or use your Personal Information fo rimproper purposes. It is your responsibility to keep your account secure from unauthorized access. HealthStream is not responsible for any lost, stolen, or compromised passwords, or any unauthorized activity on your account. We also have no control over any Customer’s security measures or practices, and we make no representations or guarantees that your Personal Information is secure once transmitted or stored on their systems.