Phreesia platform users have a choice to receive health-related materials that are personalized for them. If you entrust your personal data to Phreesia for this purpose, you have certain privacy rights.
1. What are our values?
At Phreesia, we believe that when equipped with accurate, personalized, scientifically sound information, you can focus on what is important to your health, better participate in your healthcare, and advocate for yourself. We deliver health-related materials that support those outcomes. We believe that all the health-related materials we present on our platform can help patients improve their health and wellbeing. You can learn more about the standards for health-related materials that appear on Phreesia’s platform in our Third-Party Content Policy.
We rely on individuals to direct us as to whether they want to receive this content. When you give us permission to use your personal data to show you personalized information related to your healthcare, we do. When you ask us to stop using your personal data for that purpose, we do that too.
To understand how our platform collects and uses your personal data, it’s important to understand a bit about how our products work.
3. What personal data does Phreesia collect—and what does Phreesia not collect?
After you sign the optional HIPAA Authorization, we may obtain additional personal data from you as you interact with Phreesia’s products and services, including:
- Information you voluntarily enter into the screens (for example, if you answer survey questions or provide contact information for follow-up from a third party);
- Information about the health-related materials you see; and
- Technical information that helps our product function, for example, information from your browser, computer, or mobile device as you continue to interact with Phreesia’s products or services. This information includes device and network information, log files and analytics information. Phreesia also makes use of log files, which include IP addresses, browser type, date/time stamp, and number of clicks.
There are certain types of information that we do not collect:
- When you sign an authorization, we do not collect certain information from your Healthcare Provider. For example, we do not collect information on abortion history, child abuse or neglect, or psychotherapy notes from your Healthcare Provider.
- We do not use geolocation trackers. We never use GPS data from your device to deliver messages to you. We do not track your browsing activity on third-party sites with third-party pixels, cookies or similar technologies. This means we do not track your internet search history, social media activity, purchase patterns or other information you input into other websites.
- We do not allow third parties to collect information about you for their own purposes through pixels, cookies or similar technologies. For example, we do not allow third-party trackers to collect information about your use of our platform in order to present you with advertisements on third-party sites such as social media, search engines, or other sites on which advertisements are presented.
4. How do we protect your personal data?
Privacy and security are top priorities to us–not boxes to be checked during a once-a-year review. At every level of our organization, we have measures and protocols in place to protect your information, and we foster a culture focused on safeguarding data. We’re honored to have those efforts recognized with many of the industry’s most well-known certifications. More information is available at https://www.phreesia.com/products/privacy-and-security/.
5. How do we use your personal data?
To share personalized health-related materials with you.
We use your personal data to show you personalized messages and surveys related to your healthcare. Specifically, our technology matches your personal data to health-related material that may be relevant to you. We’re paid to deliver some materials, and not paid to deliver others. Sometimes, we will show you information that may support your healthcare journey. Other times, you may have information that healthcare leaders would like to inform their decisions—for instance, our product may match you to a relevant survey that you might wish to take. Such surveys may also include marketing content.
You are not required to answer any surveys. You are also always welcome to skip viewing the personalized messages or surveys or to stop receiving them.
To stop receiving personalized health-related materials, or to stop having your Healthcare Provider provide information to us pursuant to your HIPAA Authorization, you may revoke your HIPAA Authorization by writing to Phreesia’s Privacy Officer at Privacy Officer, Phreesia, Inc., 1521 Concord Pike, Suite 301, PMB 221, Wilmington, DE 19803 or email@example.com and provide your name, date of birth, home address and provider’s name. This personal data will not be used for any purpose other than to verify your identity to revoke your authorization.
To plan the content on our platform and to measure the effectiveness of content shown to you.
We may also use your personal data to help us understand general trends about groups of users on our platform and the types of content those groups are likely to find helpful, as well as to measure the effectiveness of the health-related materials that we present to you on our platform.
To create de-identified health information.
To provide security.
We protect your personal data using security practices that we regularly review and update. We may be required to access your personal data to provide appropriate security. For example, we may verify activity, investigate suspicious activity, and detect and prevent security threats. Section 4 above provides more information about our security practices.
6. When is your personal data disclosed?
Your personal data may be disclosed only under limited circumstances, such as for one of the purposes described below:
Some of the personalized health-related materials may offer you the ability to receive additional communications directly from the sponsor of the materials. For example, a pharmaceutical manufacturer who makes a medicine may sponsor a message about that medicine that you see, and ask if you would like to receive additional communications about the medicine directly from them.
You are never required to agree to receive any communications directly from sponsors. Any opportunity to receive additional communications describes what personal data you would be sharing (such as your name and email address) and for what purpose. If, after reading this explanation, you decide that you want to share some of your personal data with the sponsor, then we will complete your request.
Your Healthcare Provider
We may share certain personal data with the healthcare provider from whom we collected your personal data under your signed HIPAA Authorization. For example, we may let them know what information you and other patients have seen on the platform so they can understand how your interaction with the Phreesia platform relates to their care for you.
With contractual provisions appropriate to protect your privacy and security, we use service providers to help us operate. In this context, service providers are those that we pay to help us store or otherwise process your personal data. For example, we may use cloud computing companies to process personal data when we provide our services. These service providers are contractually required to protect and secure your information.
Legal and Government Access
We will not share your personal data with law enforcement, government agencies, or private litigants unless such a disclosure is required by a valid and legally binding request.
If we receive a law enforcement request for your personal data, we will try to inform you by providing you a notice by sending an email to you at an email address we have on file for you, unless the law does not allow us to provide this notice to you.
7. How long do we store your personal data?
8. What privacy laws apply?
We take your privacy seriously, no matter where you live. However, if you live in certain states, particular rights may be available to you under your state’s laws. This section describes those rights as well.
Certain State Privacy Laws
Residents of certain U.S. states, such as California, Colorado, Connecticut and Virginia may have personal data rights under the laws of their state (“State Privacy Laws”). Below, we describe those rights, how to exercise those rights and provide additional information about your personal data.
Additional Information About Our Data Collection
- Identifiers, such as your name, address, phone number, email address, and other similar identifiers.
- Personal data such as your medical, insurance or appointment records.
- Characteristics of protected classes under law, including gender, race and age.
- Sensitive personal information, including race or ethnic origin, information concerning health, information concerning sex life or sexual orientation. We only use sensitive personal information to provide you with the health-related materials you request and to perform related services on behalf of our business.
- Internet activity information, such as session logs of use of our platform. However, as noted above, we do not gather information through third-party trackers placed on other sites.
Sharing and Selling with Third Parties
We have not shared or sold personal data with third parties, as defined under State Privacy Laws. As noted above, we only provide limited personal data to the sponsors of health-related materials on our platform when you specifically request further material directly from the sponsor.
Your Rights, How to Exercise Your Rights, and How to Contact Us
You, or your authorized agent, may exercise any of your State Privacy Law rights by emailing Phreesia’s Privacy Officer at firstname.lastname@example.org or writing to Privacy Officer, Phreesia, Inc., 1521 Concord Pike, Suite 301, PMB 221, Wilmington, DE 19803. Before we can implement your request, we’ll need to confirm your identity. To allow us to confirm your identity, you will need to provide your name, date of birth, home address, and the name of the Healthcare Provider with which you used our platform.
Right to Know and Access the Personal Data We Collect and Share
Right of Deletion
You may request that we delete the personal data we have collected about you, subject to certain legal exemptions.
Right of Correction
You have a right to correct any inaccurate personal data we maintain about you.
Right to Non-Discrimination
You have a right not to receive discriminatory treatment for the exercise of privacy rights conferred to you under State Privacy Laws.
United Kingdom and European Economic Area
Phreesia works hard to be transparent about the ways in which we use your personal data. We know that you trusted us with your personal data, and we will do everything we can to honor that trust.
Effective Date: November 20, 2023