Last updated July 25, 2023
HealthStream values you and your privacy. This Privacy Statement explains how we collect and treat information when we provide our Services to hospitals, universities, healthcare organizations, associations, and other customers (each an “Organization”) for use by the Organization’s administrator or other representative (“Administrator”) and the healthcare practitioners, students, or other individuals that the Organization permits to register as users (each a “User”). Our “Services” include healthstream.com and other websites we own or operate (the “Site”), our web-based services, digital properties, and applications, as well as your communications with us.
HealthStream understands that your privacy is important, and we want you to have a clear understanding of how we collect and treat your information. We encourage you to read this Privacy Statement in full to understand in detail how we collect and use information. Here is a summary of our practices, as detailed in this Privacy Statement:
This Privacy Statement describes how HealthStream collects and treats information through all of our Services, except for Keener, Nursegrid or myClinicalExchange, each of which is governed by its own privacy statements, not this one.
Any additional, separate privacy notices that we provide to you will also be considered part of this Privacy Statement. Please note that this Privacy Statement does not apply to information collected by a hospital, university, healthcare organization, association, or other third party, even if the third party is an Organization that uses HealthStream.
By using or accessing HealthStream Services in any manner, you acknowledge and accept this Privacy Statement, and you consent to our collection, use, and disclosure of your information as described below. If you do not agree with this Privacy Statement, do not use our Services.
When we say, “Personal Information,” we mean information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual consumer or household. For our purposes, Personal Information typically falls within one or more of these categories:
Note that information may not be protected by privacy laws if it is: (i) publicly available (ii) aggregated, meaning data about a group or category of services or users from which individual identities and other Personal Information has been removed; or (iii) deidentified so that it cannot be easily linked back to the individual.
About Personal Information Collection
How we collect and use your Personal Information depends on which of our Services you use and how you use them. We only collect, use, retain, and disclose Personal Information as reasonable and necessary and proportionate to provide you with the Services, or we might use it in other compatible ways that we would tell you about first.
During the last 12 months, we have collected (i) identifiers; (ii) employment-related information; (iii) non-public educational information; (iv) biometrics; (v) protected information; (vi) sensitive Personal Information; (vii) commercial information; (viii) internet activity; and (ix) inferences. We collect this information from:
Directly from you, with your consent. You must register and create an account to use some of our Services. To facilitate your registration and use of the Services, we collect:
As instructed by your Organization and collected from you with your consent. Your Organization may instruct us to collect additional Personal Information via the Services. We collect this information as a service provider to your Organization.
We use this information to provide the Services, identify and administer your account, and communicate with you. If you use our Services via a Organization, the Organization is responsible for obtaining your consent and the Organization’s Administrator may be able to access, maintain, and share any Personal Information associated with your User account. You can refuse to supply requested Personal Information, but doing so may impede your ability to use the Services or participate in your Organization’s program.
From your Organization, in our role as a service provider. Your Organization might create your User account or submit information about you to the Services, such as:
HealthStream collects this Personal Information as part of our contract as a service provider to the Organization. Note that we do not control or verify the information a Organization submits to us. If you have any questions about information on your account not input by you directly, please contact your Organization.
When you participate in a chat with HealthStream. If you participate in a live chat with us on the Site or any other Services, we collect and record any information, including Personal Information, that you choose to include in your chats with us, such as:
Please note that our live chat feature is made possible through our relationship with a third-party service provider, and your chats may be accessible simultaneously and in real-time by that third-party service provider. BY INITIATING OR CONTINUING A LIVE CHAT ON THE SITE, YOU CONSENT TO OUR THIRD-PARTY SERVICE PROVIDER ACCESSING YOUR CHATS. If you do not consent to such access to your chats, you should not initiate or participate in a chat on our Site or through any of our Services.
From your communications with us, with your consent. If you contact HealthStream using the forms or links on the Site or by email or other means, you voluntarily provide us with your:
We use this information to respond to your inquiries and to communicate with you about HealthStream according to your communication preferences.
Automatically from your use of the Site, with legitimate interest.
In addition to the specific uses above, we might also use your Personal Information to (i) provide the Services and personalize your experience; (ii) send you support and administrative messages; (iii) monitor your compliance with any of your agreements with us; (iv) protect your privacy and enforce this Privacy Statement; (v) identify, contact, or bring legal action against persons or entities who may be causing injury to you, to HealthStream, or to others if we believe it is necessary; (vi) comply with a law, regulation, legal process or court order; or (vii) fulfill any other purpose to which you consent. HealthStream will update this Privacy Statement or otherwise notify you and obtain your consent where required under applicable law before we collect additional categories of Personal Information or use your Personal Information for purposes that are incompatible with the purpose stated at the time of collection.
About Retention Periods
HealthStream retains Personal Information for the minimum period necessary to fulfil the purpose for which it was collected. Sometimes our retention periods are determined by the regulations or policies that apply to the Organizations or Users of a given Service. This means HealthStream may be required to retain Personal Information for a specified period or indefinitely, unless or until a User requests that we delete some or all of their Personal Information. HealthStream’s data retention practices are designed to ensure that our Services to serve as a secure repository of information in healthcare settings, comply with regulatory requirements, and support a policy of good data hygiene.
About Disclosure to Third Parties
We only disclose your Personal Information in limited circumstances and for specific purposes. If any Service allows for social connectivity or sharing, we will notify you of the privacy implications of using the feature before you proceed. In the last 12 months, HealthStream has disclosed all categories of Personal Information that we collected for a business purpose to these recipients:
Our Service Organizations
Our Chat Provider
Law enforcement or other governmental agencies as permitted or required by law.
Cookie information recipients subject to their respective privacy statements.
Other Third Parties, as permitted by applicable law.
About Aggregated and Deidentified Information
HealthStream may use fully anonymized, deidentified or aggregated data generated using Personal Information to assist with our research, marketing, advertising, or other purposes. This information is not your Personal Information, so we may do this for our purposes and without restriction. If we ever have a data collection mechanism specifically intended for a Organization’s use, we will notify you that the data is being collected for that specific purpose and help you understand the privacy implications before you use it.
Most of HealthStream Services are not designed to collect or process information that is protected under health privacy laws or education privacy laws. In some cases, we contract with an Organization to provide our Services in compliance with HIPAA or FERPA or equivalent or complimentary laws. This means Users should never submit protected health information or educational information unless instructed to by the User’s Organization. If HealthStream collects or processes protected health information, we do so as a “business associate” to the Organization as the “covered entity” under HIPAA. If your Organization is an educational institution and instructs us to collect your FERPA-protected educational information, HealthStream is considered a “school official” to the Organization under FERPA and equivalent laws. In either case, your Organization instructs our activities with this data and your Organization (not HealthStream) is responsible for all decisions for its use, disclosure, and security. Your Organization is solely responsible for ensuring that its and your use of the Services comply with applicable health and education privacy laws. Please contact your Organization if you have questions.
Our Services are designed for individuals aged 16 and older. We do not knowingly collect Personal Information from children under 16 without verification of parent or guardian consent. If you believe we might have any information collected online from a child under 16, or if you become aware of any unauthorized submission of information to us, please contact us at email@example.com and we will delete that information from our systems.
HealthStream cannot control the privacy practices of Organizations. If a Organization chooses to input children’s Personal Information on the Services, it is done under their own privacy practices, not ours. We are not responsible for any Organization’s or other party’s compliance or noncompliance with laws or regulations. Please contact the Organization directly if you have questions about their privacy practices.
HealthStream is owned and operated in the United States and is designed to serve Users and Organizations in the United States and Canada. We do not market the Services to Organizations or residents in the European Union or any other jurisdiction outside of the United States and Canada. However, if a Organization incidentally permits an EU resident to register as a User, the Organization does so under its own (not HealthStream’s) privacy practices.
If you are a registered User who is a non-US resident or if you visit the Site from outside of the United States, you acknowledge that Personal Information we collect about you will be transferred to our servers in the United States and maintained there in accordance with our retention policy. This may require the transfer of your Personal Information out of your country of origin with laws governing data collection and use that may differ from or be more restrictive than U.S. law, or may result in governments, courts, law enforcement, or regulatory agencies having access to or obtaining disclosure of your Personal Information pursuant to the laws of the applicable foreign jurisdiction. By allowing us to collect Personal Information about you, you consent to this Privacy Statement and the transfer and processing of your Personal Information as described in this paragraph, and you waive any and all remedies that you may have based on the laws of your jurisdiction.
Your Privacy Choices and Controls
HealthStream provides you with methods to directly control your Personal Information on the Services.
Your Account Profile and Device Settings
Users can sign into their accounts at any time to change or delete certain Personal Information. As an information repository for Organizations, some of the Personal Information on your account cannot be deleted. Please contact your Organization if you wish to make changes to your account but are not able to do so yourself. You can also control the data we collect by adjusting your device settings.
You can also control the data we collect by adjusting your device settings.
If you provide us with your email address, we may send you informational or support emails or, if you opt-in, marketing emails about the Services. You can opt-out of marketing emails but not our support or transactions emails. To opt-out, change your preferences via the links provided in the emails, email firstname.lastname@example.org or submit a Consumer Privacy Request.
If you provide us with your wireless number, you consent to HealthStream sending you text messages for informational or authentication purposes. The number of texts that we send to you will be based on your circumstances and requests. You can unsubscribe from text messages by replying STOP or UNSUBSCRIBE to any of these text messages. Messaging and data charges may apply to any text message you receive or send. Please contact your wireless carrier if you have questions about messaging or data charges.
Do Not Track Requests
Do Not Track signals are signals sent through a browser informing us that you do not want to be tracked. Currently, our systems do not recognize browser “do-not-track” requests. If this changes in the future, we will update this Privacy Statement.
Consumer Privacy Requests
If you are a User and you wish to exercise your rights beyond the methods provided, express concerns, lodge a complaint, or obtain additional information about the use of your Personal Information, please contact your Organization. USERS MUST DIRECT PRIVACY INQUIRIES TO THEIR ORGANIZATION.
Otherwise, you may send us a Consumer Privacy Request or email HealthStream at privacy@HealthStream.com. We will relay your request to your Organization or fulfill it directly if we can. HealthStream does not charge a fee to process or respond to a verifiable request unless we have legal grounds to do so. In that case, we will tell you the cost estimate and why we are charging the fee before completing your request. We may be unable to fulfill some or all of your request, for example, if your request falls within a statutory exception or if fulfilling your request would prevent us from complying with a statutory or contractual obligation.
Depending on where you live or are located, you may have certain rights over your Personal Information. If you visit our Site or inquire about our Services on behalf of a Organization, HealthStream collects and processes your Personal Information as a business or data controller. For all other purposes, HealthStream acts as a service provider or data processor of your Personal Information. The following sections outline legally required and courtesy notices of privacy rights that may be available to you depending on where you live and how you interact with HealthStream.
In the United States, consumer privacy is governed by state laws providing general consumer privacy rights, as well as federal laws addressing specific industries or data uses. This section provides notices of consumer privacy rights available through the state laws of California, Colorado, Connecticut, Nevada, Utah, Virginia, and other states with similar requirements. If you reside in a state offering privacy protections (“Consumer”), you may be entitled to some or all of these rights:
This section provides information to residents of Canada (“Canadian Consumers”) in compliance with Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”). Canadian Consumers to whom PIPEDA applies have a:
HealthStream does not offer or market the Services in the European Union or the United Kingdom. However, Organizations may incidentally offer access to the Services to residents of the European Economic Area (“EEA”) and the United
Kingdom (“Data Subjects”) pursuant to the Organization’s own privacy practices. In such cases, the Organization (not HealthStream) is responsible for compliance with the General Data Protection Regulation and its counterpart
regulation applicable to residents of the United Kingdom. DATA SUBJECTS MUST CONTACT THEIR ORGANIZATION TO INQUIRE ABOUT PRIVACY MATTERS. This section lists the rights available to Data Subjects as a courtesy only.
Data Subjects must contact their Organization to exercise these rights or inquire further.
HealthStream implements reasonable and appropriate technical, organizational, and physical security measures to help protect your Personal Information from unauthorized or illegal access, destruction, use, modification, or disclosure. We employ a series of security measures, including secure login, multifactor authentication, encryption in transit and at rest. We ensure that HealthStream personnel responsible for handling Personal Information and privacy matters are informed of applicable privacy law requirements. Our security measures are appropriate to the volume, scope, and nature of the Personal Information processed and designed to meet our duty of care with respect to your Personal Information. Please note, however, that no transmission of data over the internet is 100% secure. We cannot guarantee that unauthorized third parties will not defeat our security measures or use your Personal Information for improper purposes. It is your responsibility to keep your account secure from unauthorized access. HealthStream is not responsible for any lost, stolen, or compromised passwords, or any unauthorized activity on your account. We also have no control over any Organization’s security measures or practices, and we make no representations or guarantees that your Personal Information is secure once transmitted or stored on their systems.
The Services may include links to other websites whose privacy practices may differ from ours. If you submit Personal Information to any of those websites, your information is governed by the privacy policies of those other websites. You should carefully review the privacy statement of any website you visit.
We may periodically update this Privacy Statement. If we make any material changes, we will notify you through the Services or by updating this posting. The date that this Privacy Statement was last revised is identified at the top of the page. Your continued use of the Services after the effective date will be subject to the new Privacy Statement. You are responsible for periodically checking this Privacy Statement for changes.