Last updated and effective as of March 30, 2022
This Privacy Statement for HealthStream, Inc. and its affiliates, corporate parent(s), and subsidiaries (collectively, "HealthStream", "we" or "us") describes how HealthStream collects and treats information through healthstream.com and other websites we own or operate (the "Site"), and our web-based services, digital properties, and applications, as well as your communications with us by any means (collectively, our "Services"). This Privacy Statement is governed by and part of our Terms of Use. Any capitalized terms used without definition have the meanings given in the Terms of Use. We may provide additional notices about our privacy practices, each of which will be considered to form part of this Privacy Statement.
This Privacy Statement also provides information specific to residents of California and Canada.
Note that this Privacy Statement does not apply to:
By using or accessing HealthStream Services in any manner, you acknowledge and accept this Privacy Statement, and you consent to our collection, use, and disclosure of your information as described below. If you do not agree with this Privacy Statement, do not use our Services.
As used in this Privacy Statement, "Personal Information" means "personal information", "personally identifiable information" or "personal data" as those terms are defined in applicable privacy and data protection laws, as organized into
the following categories:
Personal Information does not include: (i) publicly available information as prescribed by applicable privacy and data protection laws; (ii) aggregate information, meaning data about a group or category of services or users from which individual identities and other Personal Information has been removed; or (iii) deidentified information that cannot reasonably be used to infer information about, or otherwise be linked to, a particular consumer. Any de-identified information within HealthStream's control will not be used by us, either alone or in combination with other information, to identify a specific individual.
HealthStream collects and uses Personal Information about you depending on how you interact with our Services, whether as a Site visitor, a healthcare practitioner or other individual user ("User"), or an administrator or other representative (" Administrator") of a health system, hospital, or other healthcare provider using our Services ("Provider"). We only collect, use, retain, and disclose Personal Information as reasonably necessary and proportionate to provide the Services or for other purposes that we disclose to you and are compatible with the context of how we collected the Personal Information.
During the preceding 12 months, we have collected these categories of Personal Information:
We will update this Privacy Statement or otherwise notify you and obtain your consent where required under applicable law before we collect additional categories of Personal Information or use your Personal Information for purposes that are incompatible
with the purpose stated at the time of collection.
We collect Personal Information from the following sources and use it as described below:
- Identifiers like your name, email address, and telephone number, and any other Personal Information you choose to include in your communication.
- Employment information like your title and organization type (e.g., hospital, home health facility, etc.).
- If you make a purchase on the Site, we will collect the commercial history of your purchase(s) and use a PCI-compliant payment processor or bank to process any payments related to your purchase.
We collect this information with your consent, and we use it to respond to your inquiries and to communicate with you about HealthStream according to your communication preferences.
- Identifiers like your name, email address, mailing address, and phone number, as well as your login credentials.
- Employment and educational information like your title, credentials, specialty, privileges, and education and work status and history.
- Biometrics like your photograph or health data.
- Depending on the Services you use, sensitive Personal Information (in some cases including protected health information as described in Section 5) and protected information like health status, tax ID or other government ID, military status, citizenship, birth country, ethnicity, and visa information, as applicable and in our role as a service provider according to instructions from your Provider. In some cases, your Provider may instruct us to collect protected health information subject to health privacy laws as described in Section 5.
- Additional employment information or educational information related to your credentials or education, if required by your Provider.
We collect this information with your consent, and we use it to provide the Services, identify and administer your account, and communicate with you. If you use our Services via a Provider, the Provider is responsible for obtaining your consent and the
Provider's Administrator may be able to access, maintain, and share any Personal Information associated with your User account. You have the option to refuse to supply requested Personal Information, but doing so may impede your ability to use the
Services or work with your Provider.
- Sensitive Personal Information like health information (e.g., immunizations, health records, or drug screening results), background investigations, and credit reports
- Employment information.
- Non-public educational information.
Your Provider may also input additional Personal Information to the Services as necessary to manage a User's use of the Services. HealthStream collects Personal Information about you from your Provider in our role as a service provider to achieve our
legitimate interest of providing the contracted Services to you and your Provider. Note that we do not control or verify the information provided to us by a Provider. If you have any questions about information on your account not input by you directly,
please contact your Provider.
In addition to the specific uses described above, HealthStream might also use your Personal Information to:
HealthStream retains all Personal Information collected through the Services for as long as required to fulfill the purpose for which it was collected. HealthStream's retention periods are determined by the regulations or policies that apply to the Providers
or Users of a given Service. This means in some cases HealthStream may be required to retain Personal Information for a specified period or indefinitely, unless or until an individual User requests that HealthStream delete some or all of their Personal
Information. This retention policy is necessary to enable HealthStream to serve as a secure repository of information required for Users to work or participate in programs in healthcare settings.
In the preceding 12 months, HealthStream has disclosed all categories of Personal Information that we collected for a business purpose to the recipients described below.
HealthStream may disclose Personal Information to the recipients described below, or to other recipients with your permission or as required by law:
We reserve the right to disclose aggregated, anonymized, or deidentified information about any individuals with affiliated or nonaffiliated entities for marketing, advertising, research, or other purposes, without restriction. For example, we may share
reports showing trends about the general use of our Services without identifying an individual.
When HealthStream provides the Services as a service provider, your Provider may instruct HealthStream to collect or process information that is protected under health privacy laws or education privacy laws. In such cases, HealthStream collects protected health information as a "business "associate" to the Provider as a "covered entity" under the U.S. Health Insurance Portability and Accountability Act of 1996 or the privacy and security rules promulgated thereunder ("HIPAA"). If your Provider is an educational institution, HealthStream is a contractor working on behalf of the Provider and is therefore considered a "school official" under U.S. Family Educational Rights and Privacy Act ("FERPA") and equivalent laws. In these cases, HealthStream's privacy practices are governed by contractual agreements with your Provider; and your Provider, and not HealthStream, is responsible for all decisions regarding the use, disclosure, or safeguarding of protected health information or non-public educational information. Please direct questions about your protected health information or non-public education information to your Provider.
For all other uses of our Services, HealthStream is not subject to HIPAA or FERPA or the equivalent laws applicable to other jurisdictions where are our Services are available, and we make no warranty or representation that disclosures of information
via the Services are permissible under such laws or that the Services comply with any law or regulation governing health care, medical professionals, or educational institutions.
HealthStream is owned and operated in the United States and is designed to serve Users and Providers in the United States and Canada. We do not market the Services to residents of the European Union or any other jurisdiction outside of the United States and Canada. If you are an EU resident, please do not submit any Personal Information to HealthStream.
Nonetheless, if you are a registered User who is a non-US resident or if you visit the Site from outside of the United States, you acknowledge that Personal Information we collect about you will be transferred to our servers in the United States and maintained
there in accordance with our retention policy. This may require the transfer of your Personal Information out of your country of origin with laws governing data collection and use that may differ from or be more restrictive than U.S. law, or may result
in governments, courts, law enforcement, or regulatory agencies having access to or obtaining disclosure of your Personal Information pursuant to the laws of the applicable foreign jurisdiction. By allowing us to collect Personal Information about
you, you consent to this Privacy Statement and the transfer and processing of your Personal Information as described in this paragraph, and you waive any and all remedies that you may have based on the laws of your jurisdiction.
HealthStream Services are designed for individuals aged 16 and older. We do not knowingly collect Personal Information from children under 16 without verification of parent or guardian consent. If we discover that a child under 16 has provided us with Personal Information without parent or guardian consent, we will delete such information from our systems. HealthStream reserves the right to limit use of certain Services to individuals who have reached the age of majority under the laws of their jurisdiction. If you believe we might have any information collected online from a child under 16, or if you become aware of any unauthorized submission of information to us, please contact us at privacy@healthstream.com.
Note that HealthStream cannot control the privacy practices of Providers that use our Services. If a Provider chooses to input children's Personal Information on the Services, it is done under their own privacy practices, not ours. HealthStream is
not responsible for the failure of a Provider or other third party to comply with any law designed to protect children or any other law governing their use of our Services. Please contact the Provider directly if you have questions about their
privacy practices.
HealthStream provides you with options to control the Personal Information we hold about you and how we use it directly through our Services:
Depending on where you reside, you may have additional privacy rights or be entitled to additional controls over your Personal Information. Please see our supplemental notices specific to residents of California and Canada.
If you wish to exercise your privacy rights beyond the methods available through the Services, or if you want to express concerns, lodge a complaint, or request information, please contact your provider. Alternatively, you can email HealthStream at privacy@healthstream.com.
We endeavor to respond to Consumer Privacy Requests in accordance with the requirements of the law applicable to your jurisdiction. We do not charge a fee to process or respond to a verifiable request unless we have legal grounds to do so. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request. Depending on the circumstances and the nature of your request, we may be unable to fulfill your request in part or in whole, for example, if your request falls within a statutory exception or if fulfilling your request would prevent us from complying with a statutory or contractual obligation.
Note that if you use our Services via your Provider, we cannot fulfill your request directly. Instead, we will relay your request to your Provider for further processing and fulfillment.
This section provides residents of the State of California ("California Consumers") with the disclosures and notices required under the California Consumer Privacy Act of 2018, as amended ("CCPA"). The following paragraphs apply solely to California Consumers and describe the specific rights afforded under the CCPA.
In many cases, HealthStream collects Personal Information about you in a business-to-business context or as part of your employment with a Provider. Please note that Personal Information collected and used in this context is not protected under the CCPA.
California Consumers may exercise the following rights over their Personal Information, subject to any exceptions and limitations that may apply:
California Consumers may exercise these rights over their Personal Information by contacting their Provider or by sending HealthStream a verifiable Consumer Privacy Request, subject to any exceptions and limitations that may apply.
This section provides supplemental information to residents of Canada ("Canadian Consumers") in compliance with Canada's Personal Information Protection and Electronic Documents Act ("PIPEDA") and applies solely to
Canadian Consumers where PIPEDA applies. The following paragraphs describe PIPEDA rights and explain how to exercise those rights.
Canadian Consumers may exercise the above rights over their Personal Information by contacting their Provider or by sending HealthStream a verifiable Consumer Privacy Request, subject to any exceptions and limitations
that may apply.
HealthStream implements reasonable and appropriate security procedures and practices to help protect your Personal Information from unauthorized or illegal access, destruction, use, modification, or disclosure. We employ a series of security measures, including secure login, multifactor authentication, encryption in transit and at rest. We ensure that HealthStream employees, contractors, and agents responsible for handling Personal Information and privacy matters are informed of applicable privacy law requirements.
Please note, however, that no transmission of data over the internet is 100% secure. We cannot guarantee that unauthorized third parties will not defeat our security measures or use your Personal Information for improper purposes. We also have no control over any Provider's security measures or practices, and we make no representations or guarantees that your Personal Information is secure once transmitted or stored on their systems.
It is your responsibility to keep your account secure from unauthorized access. We encourage you to take steps to protect against unauthorized access to your account, such as choosing a robust password, keeping the password private, and signing off
after using a shared computer or other device. HealthStream is not responsible for any lost, stolen, or compromised passwords, or any unauthorized activity on your account.
The Site may include links to other websites whose privacy practices may differ from ours. If you submit Personal Information to any of those websites, your information is governed by the privacy policies of those other websites. You should carefully
review the privacy policy of any website you visit.
We may periodically update this Privacy Statement. If we make any material changes, we will notify you through the Services or by updating this posting. The date that this Privacy Statement was last revised is identified at the top of the page. Your
continued use of the Services after the effective date will be subject to the new Privacy Statement. You are responsible for periodically checking this Privacy Statement for changes.
If you have questions about our privacy practices or would like to make a complaint, please contact us at privacy@healthstream.com or by calling 800.521.0574.