Privacy Statement

Last updated December 12, 2022

Our Privacy Promise

HealthStream understands that your privacy is important, and we want you to have a very clear understanding of how we collect and treat the information you entrust to us. Here is a summary of our promise to you, as detailed in this Privacy Statement:

  • Privacy is our default status. We will tell you here or within the Services whether and how your information will be viewable or accessible by others.
  • You can always control your data, either directly through your account or by contacting HealthStream.
  • Access to your information is strictly limited to you, us, and others who must have it for our Services to function properly. If we offer any social or sharing features, we will make sure you always know when you are doing something other users can see.
  • HealthStream does not sell your Personal Information to anyone for any purpose.
  • Any reporting we do on trends or content consumption is in the aggregate and will not identify you individually.
  • Our customer relationships with hospitals, healthcare organizations, associations or others does not change our promise.
  • HealthStream will always notify you if this promise changes in any way.

We encourage you to read this Privacy Statement in full to understand in detail how we collect and use information.

About HealthStream Services

In this Privacy Statement, HealthStream, Inc. and our affiliates, corporate parent(s), and subsidiaries are collectively called “HealthStream,” “we” or “us” and our Services means healthstream.com and other websites we own or operate (the “Site”), and our web-based services, digital properties, and applications, and your communications with us.

This Privacy Statement describes how HealthStream collects and treats information through our Services, except for Keener, Nursegrid or myClinicalExchange, each of which is governed by its own privacy statements, not this one.

It does not apply to information collected through a Provider’s website or service, even if the Provider uses HealthStream Services. Please contact your Provider with any questions.

Your Consent

By using or accessing HealthStream Services in any manner, you acknowledge and accept this Privacy Statement, and you consent to our collection, use, and disclosure of your information as described below. If you do not agree with this Privacy Statement, do not use our Services.

“Personal Information”
When we say, “Personal Information,” we mean information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual consumer or household. Personal Information falls within these categories:

  • Identifiers (e.g., name, email address, address, telephone number, username);
  • Sensitive Personal Information (e.g., state identification number, precise geolocation; racial or ethnic origin; biometrics; union membership; contents of messages when we are not the recipient; as well as protected health information, personal health information, PHI, EPHI, and similar terms of art, each as defined under applicable health privacy laws; and other health information generally);
  • Protected classification information (e.g., race, citizenship, marital status, medical condition, sex, sexual orientation, veteran or military status);
  • Biometric information (e.g., image, keystrokes, behavioral or biological characteristics);
  • Internet or other similar activity (e.g., general location, content interactions, browsing history);
  • Employment-related information (e.g., current or past employment);
  • Non-public educational information, including information protected under the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99);
  • Commercial information (e.g., products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies); and
  • Inferences drawn from Personal Information to create a profile about preferences, characteristics, trends, predispositions, behavior, attitudes, intelligence, and aptitudes.

Some of your information is not protected as Personal Information, such as: (i) publicly available information (ii) aggregate information, meaning data about a group or category of services or users from which individual identities and other Personal Information has been removed; or (iii) deidentified information that cannot be easily linked back to the individual.

Collecting and Using Your Personal Information

About Personal Information Collection
How you use the Services determines how we collect and use your Personal Information. For example, you might be a Site visitor, a healthcare practitioner or other individual user (“User”), or an administrator or other representative (“Administrator”) of a health system, hospital, or other healthcare provider using our Services (“Provider”). We only collect, use, retain, and disclose Personal Information as reasonable and necessary and proportionate to provide you with the Services, or we might use it in other compatible ways that we would tell you about first.  

During the last 12 months, we have collected (i) identifiers; (ii) employment-related information; (iii) non-public educational information; (iv) biometrics; (v) protected information; (vi) sensitive Personal Information; (vii) commercial information; (viii) internet activity; and (ix) inferences. We collect this information from:

Directly from you, with your consent. You must register and create an account to use some of our Services. When you register, we collect the Personal Information we need to facilitate your use of the Services, such as:

  • Identifiers like your name, email address, mailing address, and phone number, as well as your login credentials.
  • Employment and educational information like your title, credentials, specialty, privileges, and education and work status and history.
  • Biometrics like your photograph or health data.
  • For certain Services, sensitive Personal Information or protected information like health information, tax ID or other government ID, military status, citizenship, birth country, ethnicity, or visa information. Your Provider determines whether we collect this information and instructs us to do so as a service provider. In some cases, your Provider may instruct us to collect protected health information subject to health privacy laws.

We use this information to provide the Services, identify and administer your account, and communicate with you. If you use our Services via a Provider, the Provider is responsible for obtaining your consent and the Provider’s Administrator may be able to access, maintain, and share any Personal Information associated with your User account. You can refuse to supply requested Personal Information but doing so may impede your ability to use the Services or work for your Provider.

From your Provider, as a service provider. Your Provider might create your User account or register for you or contract with third parties to transmit Personal Information to the Services to include in your account, such as:

  • Employment or non-public educational information.
  • Sensitive Personal Information like health information (e.g., immunizations, health records, or drug screening results), background investigations, and credit reports.

HealthStream collects this Personal Information as part of our contract as a service provider to the Provider. Note that we do not control or verify the information a Provider submits to us. If you have any questions about information on your account not input by you directly, please contact your Provider. 

Directly from your communications, with consent. If you contact HealthStream using the forms or links on the Site or by email or other means, you voluntarily provide us with your:

  • Identifiers like your name, email address, and telephone number, and any other Personal Information you choose to include in your communication.
  • Employment information like your title and organization type (e.g., hospital, home health facility, etc.).
  • If you make a purchase on the Site, we will collect the commercial history of your purchase(s) and use a PCI-compliant payment processor or bank to process any payments related to your purchase.

We use this information to respond to your inquiries and to communicate with you about HealthStream according to your communication preferences.

Automatically from your use of the Site, with legitimate interest.

  • When you interact with the Site, we automatically collect technical data about your internet activity such as your IP address, the content with which you interact and, for some Services, your geolocation. Like most online services, the Site uses analytics cookies as described in our Cookie Declaration. We collect this information to achieve our legitimate interest of managing and improving our Services. We use this information to administer the Site, provide and improve the Services, analyze usage, protect the Services and its content from inappropriate use, and improve the nature and marketing of the Services.

In addition to the specific uses above, we might also use your Personal Information to (i) provide the Services and personalize your experience; (ii) send you support and administrative messages; (iii) monitor your compliance with any of your agreements with us; (iv) protect your privacy and enforce this Privacy Statement; (v) identify, contact, or bring legal action against persons or entities who may be causing injury to you, to HealthStream, or to others if we believe it is necessary; (vi) comply with a law, regulation, legal process or court order; or (vii) fulfill any other purpose to which you consent. HealthStream will update this Privacy Statement or otherwise notify you and obtain your consent where required under applicable law before we collect additional categories of Personal Information or use your Personal Information for purposes that are incompatible with the purpose stated at the time of collection.

About Retention Periods
HealthStream retains Personal Information for the minimum period necessary to fulfil the purpose for which it was collected. Sometimes our retention periods are determined by the regulations or policies that apply to the Providers or Users of a given Service. This means HealthStream may be required to retain Personal Information for a specified period or indefinitely, unless or until a User requests that we delete some or all of their Personal Information. HealthStream’s data retention practices are designed to ensure that our Services to serve as a secure repository of information in healthcare settings, comply with regulatory requirements, and support a policy of good data hygiene.

About Disclosure to Third Parties
We only disclose your Personal Information in limited circumstances and for specific purposes. If any Service allows for social connectivity or sharing, we will notify you of the privacy implications of using the feature before you proceed. In the last 12 months, HealthStream has disclosed all categories of Personal Information that we collected for a business purpose to these recipients:

Your Provider

  • If you use a HealthStream Service for your job or role in an educational or healthcare program with a Provider, HealthStream is a service provider to your Provider. We may disclose any Personal Information associated with your account to your Provider so that you and your Provider can manage your role within the organization or so the Provider can provide you with other services.

Our Service Providers

  • We use a variety of service providers such as data hosting companies, analytics services, email hosting services, and payment processors. We prohibit our service providers from selling or disclosing the Personal Information we provide, and we require all service providers to maintain confidentiality standards that are commercially reasonable to ensure the security of your Personal Information. The type of information that we provide to a Service Provider will depend on the service that they provide to us.

Our Affiliates

  • As a part of the HealthStream family of services, we may disclose the Personal Information we collect about you to our affiliates or subsidiaries. If we do disclose your Personal Information to our affiliates or subsidiaries, their use and disclosure of your Personal Information will be subject to this Privacy Statement.

Law enforcement or other governmental agencies as permitted or required by law.

Cookie information recipients subject to their respective privacy statements.

Other Third Parties, as permitted by applicable law.

  • For example: if we go through a business transition (e.g., merger, acquisition, or sale of a portion of our assets); to comply with a legal requirement or a court order; when we believe it is appropriate in order to take action regarding illegal activities or prevent fraud or harm to any person; to exercise or defend our legal claims; or for any other reason with your consent.

About Aggregated and Deidentified Information
HealthStream may use fully anonymized, deidentified or aggregated data generated using Personal Information to assist with our research, marketing, advertising, or other purposes. This information is not your Personal Information, so we may do this for our purposes and without restriction. If we ever have a data collection mechanism specifically intended for a Provider’s use, we will notify you that the data is being collected for that specific purpose and help you understand the privacy implications before you use it.

Health and Educational Privacy

Your Provider may instruct us to collect or process information about you that is protected under health privacy laws or education privacy laws. If we collect or process protected health information, HealthStream is a “business “associate” to the Provider as a “covered entity” under HIPAA. If your Provider is an educational institution, HealthStream is considered a “school official” to the Provider under FERPA and equivalent laws. Your Provider instructs our activities with this data, and your Provider (not HealthStream) is responsible for all decisions for its use, disclosure, and security. Please contact your Provider if you have questions.

For all other uses of our Services, HealthStream is not subject to HIPAA or FERPA or any of their equivalent or complimentary laws, and we make no warranty or representation that disclosures of information via the Services are permissible under such laws or that the Services comply with any law or regulation governing health care, medical professionals, or educational institutions.

Your Privacy Choices and Controls
We provide you with methods to directly control how we collect and use your Personal Information. If you have questions or need help, please contact your Provider, send us a Consumer Privacy Request or email us at privacy@HealthStream.com.

Your Account Profile and Device Settings
Users can sign in to change or delete certain Personal Information in their accounts at any time. As an information repository for Providers, some of the Personal Information on your account cannot be deleted. Please contact your Provider if you wish to make changes to your account but are not able to do so yourself.

You can also control the data we collect by adjusting your device settings.

HealthStream Emails
If you provide us with your email address, we may send you informational or support emails or, if you opt-in, marketing emails about the Services. You can opt-out of marketing emails but not our support or transactions emails. To opt-out, change your preferences via the links provided in the emails, email privacy@healthstream.com or submit a Consumer Privacy Request.

Texting Consent
If you provide us with your wireless number, you consent to HealthStream sending you text messages for informational or authentication purposes. The number of texts that we send to you will be based on your circumstances and requests. You can unsubscribe from text messages by replying STOP or UNSUBSCRIBE to any of these text messages. Messaging and data charges may apply to any text message you receive or send. Please contact your wireless carrier if you have questions about messaging or data charges.

Do Not Track Requests
Do Not Track signals are signals sent through a browser informing us that you do not want to be tracked. Currently, our systems do not recognize browser “do-not-track” requests. If this changes in the future, we will update this Privacy Statement.

Consumer Privacy Requests
If you wish to exercise your rights beyond the methods provided, express concerns, lodge a complaint, or obtain additional information about the use of your Personal Information, please contact your Provider.

Alternatively, you can send us a Consumer Privacy Request or email HealthStream at privacy@HealthStream.com. We will relay your request to your Provider or fulfill it directly if we can. HealthStream does not charge a fee to process or respond to a verifiable request unless we have legal grounds to do so. In that case, we will tell you the cost estimate and why we are charging the fee before completing your request. We may be unable to fulfill some or all of your request, for example, if your request falls within a statutory exception or if fulfilling your request would prevent us from complying with a statutory or contractual obligation.

United States Privacy Rights

Depending on where you live or are located, you may have certain rights over your Personal Information. This section provides legally required notices of consumer privacy rights applicable in California, Colorado, Connecticut, Nevada, Utah, Virginia, and other states with similar requirements. If you reside in a state offering privacy protections (“Consumer”), you may have some of all of the following rights related to your privacy:

  • Right to Correct. You have the right to request that we correct inaccurate Personal Information about you on our systems. If you become aware that the Personal Information that we hold about you is incorrect, or if your situation changes (e.g., you change address), please inform us and we will update our records.
  • Right to Delete. You have the right to request that we delete any of your Personal Information that we collected from you and retained, with certain exceptions. HealthStream may permanently delete, deidentify, or aggregate the Personal Information in response to a request for deletion. If you submit a right to deletion request, we will confirm the Personal Information to be deleted prior to its deletion, and we will notify you when your request is complete.
  • Right to Access. You have the right to receive confirmation that we have collected Personal Information about you and copies of the requested pieces of Personal Information in a portable and readily usable format. Please note that we may be legally prohibited from disclosing certain pieces of Personal Information, and we may be limited in the number or frequency of requests we must fulfill.
  • Limited Use and Disclosure of Sensitive Personal Information. We do not seek to collect your sensitive Personal Information, though you may choose to provide some sensitive Personal Information when using HealthStream. In no case will we use or disclose your sensitive Personal Information for the purpose of inferring characteristics about you. If this ever changes in the future, we will update this Privacy Statement and provide you with methods to limit use and disclosure of Sensitive Personal Information.
  • No Selling or Sharing Personal Information. We do not, and will not, sell the Personal Information we collect about you from your use of HealthStream or share your Personal Information with third parties for cross-contextual behavioral advertising purposes. If we place cookies on the Services for marketing and retargeting purposes, this may qualify as “sharing” Personal Information under some laws. To opt-out of this sharing, adjust your settings on our Cookie Declaration or cookie banner to opt-out of Marketing Cookies. If our practices change, we will update this posting and provide you with opt-out methods.
  • No Profiling. We do not use any form of automated processing of Personal Information to evaluate, analyze, or predict your performance, preferences, choices, or behavior. If this changes in the future, we will update this posting to describe our use of profiling and your options to opt-out. 
  • Right to Disclosure. You have the right to receive details about our collection and use of your Personal Information, such as: (i) the categories of Personal Information we have collected about you; (ii) the categories of sources for the Personal Information we have collected about you; (iii) our business purpose for collecting, using, processing, sharing or selling that Personal Information, as applicable; (iv) the categories of third parties with whom we share that Personal Information; and (v) if we sold or shared your Personal Information under the California Consumer Privacy Act, two separate lists stating: (a) sales or sharing, identifying the Personal Information categories that each category of recipient purchased; and (b) disclosures for a business purpose, identifying the Personal Information categories that each category of recipient obtained. Certain laws may limit the number or frequency of requests we must fulfill.
  • Right to Nondiscrimination. We will not discriminate against you for exercising your privacy rights. For example, unless permitted by law we will not: (i) deny you goods or services; (ii) charge you different prices or rates for goods or services; (iii) provide you a different level or quality of goods or services; (iv) retaliate against you as an employee, applicant for employment, or independent contractor for exercising your privacy rights; or (v) suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services, because you exercised a right under applicable privacy laws.
  • Right to Disclosure of Marketing Information. California’s Shine the Light Act (Civil Code sections 1798.83-1798.84) entitles California residents to request certain disclosures regarding Personal Information sharing with affiliates and/or third parties for marketing purposes.

To exercise these rights or inquire further, please contact your Provider, send us a Consumer Privacy Request or email us at privacy@HealthStream.com.

Canadian Privacy Rights

This section provides supplemental information to residents of Canada (“Canadian Consumers”) in compliance with Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”) and applies solely to Canadian Consumers where PIPEDA applies. The following paragraphs describe PIPEDA rights and explain how to exercise those rights.

  • Right to know why we collect, use and distribute the Personal Information we process. We have set the required notices in this Privacy Statement. We may provide you with additional notices about other ways we process your Personal Information, such as by sending you a notice via email or by other means of communication.
  • Right to expect us to collect, use or disclose Personal Information responsibly and not for any other purpose other than which you consented. We set your expectations in this Privacy Statement and collect express or implied consent at various stages of collection or processing. If we collect or use your Personal Information based on your consent, we will also notify you of any changes and will request your further consent as needed. You may withdraw your consent at any time with reasonable notice by submitting a Consumer Privacy Request or contacting us at privacy@healthstream.com.
  • Right to accuracy of your Personal Information. We take steps to reasonably ensure that your Personal Information we are using is accurate. In most cases, we rely on you to ensure that your information is current, complete, and accurate.  We provide methods for you to correct, update, and delete inaccurate Personal Information in your account, and we will provide you with reasonable assistance to ensure that your Personal Information is accurate in our systems and with our service providers.
  • Right to access your Personal Information. Upon written request and identity authentication, we will provide you with your Personal Information under our control, information about the ways in which that information is being used and a description of the individuals and organizations to whom that information has been disclosed. We will make the information available within 30 days or provide written notice where additional time is required to fulfil the request. If limited by law or potential infringement on another’s privacy rights, we may not be able to provide access to some or all of the Personal Information you request. If we must refuse an access request, we will notify you in writing, document the reasons for refusal and outline further steps that are available to you.

To exercise these rights or inquire further, please contact your Provider, send us a Consumer Privacy Request or email us at privacy@HealthStream.com.

Children’s Privacy

Our Services are designed for individuals aged 16 and older. We do not knowingly collect Personal Information from children under 16 without verification of parent or guardian consent. If you believe we might have any information collected online from a child under 16, or if you become aware of any unauthorized submission of information to us, please contact us at privacy@healthstream.com and we will delete that information from our systems.

HealthStream cannot control the privacy practices of Providers. If a Provider chooses to input children’s Personal Information on the Services, it is done under their own privacy practices, not ours. We are not responsible for any Provider’s or other party’s compliance or noncompliance with laws or regulations. Please contact the Provider directly if you have questions about their privacy practices.

HealthStream Is Offered in the U.S.

HealthStream is owned and operated in the United States and is designed to serve Users and Providers in the United States and Canada. We do not market the Services to residents of the European Union or any other jurisdiction outside of the United States and Canada. If you are an EU resident, please do not submit any Personal Information to HealthStream.

If you are a registered User who is a non-US resident or if you visit the Site from outside of the United States, you acknowledge that Personal Information we collect about you will be transferred to our servers in the United States and maintained there in accordance with our retention policy. This may require the transfer of your Personal Information out of your country of origin with laws governing data collection and use that may differ from or be more restrictive than U.S. law, or may result in governments, courts, law enforcement, or regulatory agencies having access to or obtaining disclosure of your Personal Information pursuant to the laws of the applicable foreign jurisdiction. By allowing us to collect Personal Information about you, you consent to this Privacy Statement and the transfer and processing of your Personal Information as described in this paragraph, and you waive any and all remedies that you may have based on the laws of your jurisdiction.

Data Security

HealthStream implements reasonable and appropriate technical, organizational, and physical security measures to help protect your Personal Information from unauthorized or illegal access, destruction, use, modification, or disclosure. We employ a series of security measures, including secure login, multifactor authentication, encryption in transit and at rest. We ensure that HealthStream personnel responsible for handling Personal Information and privacy matters are informed of applicable privacy law requirements. Our security measures are appropriate to the volume, scope, and nature of the Personal Information processed and designed to meet our duty of care with respect to your Personal Information. Please note, however, that no transmission of data over the internet is 100% secure. We cannot guarantee that unauthorized third parties will not defeat our security measures or use your Personal Information for improper purposes. It is your responsibility to keep your account secure from unauthorized access. HealthStream is not responsible for any lost, stolen, or compromised passwords, or any unauthorized activity on your account. We also have no control over any Provider’s security measures or practices, and we make no representations or guarantees that your Personal Information is secure once transmitted or stored on their systems.

Third Party Websites

The Services may include links to other websites whose privacy practices may differ from ours. If you submit Personal Information to any of those websites, your information is governed by the privacy policies of those other websites. You should carefully review the privacy statement of any website you visit.

Privacy Statement Updates

We may periodically update this Privacy Statement. If we make any material changes, we will notify you through the Services or by updating this posting. The date that this Privacy Statement was last revised is identified at the top of the page. Your continued use of the Services after the effective date will be subject to the new Privacy Statement. You are responsible for periodically checking this Privacy Statement for changes.