Change Healthcare – Global Privacy Notice

Effective Date:  March 2021

Privacy matters to Change Healthcare, so we follow a privacy framework that helps us to manage and protect your information in our products, services and websites. Whether you are new to Change Healthcare or a long-time user, please take the time to get to know our practices – and if you have any questions contact us. This Global Privacy Notice (“Notice”) describes how Change Healthcare collects, uses, and shares the information you provide  where we display this notice, including, among others, www.changehealthcare.com, www.changehealthcare.co.uk, www.changehealthcare.ie, and www.changehealthcare.co.nz (our “Sites”) and in the services that we provide (collectively, “Sites and Services”). This Notice describes your rights and choices, and how you can contact us about our privacy practices.  Our privacy practices may vary among the countries or territories where we operate to reflect local legal requirements.

Change Healthcare Sites and Services may contain links to third-party websites, products, and services. Our app marketplace, for instance, offers products and services from third parties as well as from Change Healthcare. This Notice does not apply to third party websites and mobile applications, products, or services that may link to or are linked from our Sites and Services or services we offer as a Business Associate on behalf of health care organizations. Please consult those websites and applications directly to understand their privacy practices.
 

Information We Collect

Information We Collect From You

Change Healthcare collects, processes, and retains information from you when you interact with our Sites and Services.

We collect the following information from you:

  • We collect log-in credentials (such as user ID and password) and security questions and answers
  • We collect your name, email address, contact information, including your mailing address, phone number, title, and information about the organization with which you are affiliated
  • We collect any information you choose to include in your messages or responses when interacting with us through our Sites and Services, including via online forums, inquiry forms, our support portal, or our Chatbox messaging service and other messaging services, including any information you provide when you complete a survey administered by us or a supplier acting on our behalf
  • We collect your payment information and associated contact information when you engage in transactions
  • If you purchase a subscription to an app in the Change Healthcare marketplace, we create a subscriber ID that is unique to you, and collect information about your device and your device’s operating system and browser information, transaction-related information such as product download ID/name, account contact information, device ID, download frequency/time, information about the way you use the Application including administrative user account contact information, device event information such as errors, system activity, hardware settings, the date and time of your request

Information We Collect Automatically

We automatically collect certain information through browser cookies and other tracking technologies when you access, use, or interact with our Sites and Services, including:

  • Browser and device data: We collect your device type, operating system and version, IP address, general geographic location as indicated by your IP address, browser type, screen resolution, device manufacturer and model, language, plug-ins, add-ons, and the language version of the Site you are visiting
  • Usage data: We collect information about the time you spend on our Sites and Services, the content you view or download and features you access, the pages that led or referred you to our Sites and Services, language preferences, how you interact with available content, and entered search terms
  • Interactions with ads and newsletters: We collect information about how you interact with our ads and newsletters, including whether you open or click links in any correspondence
  • Social media: We collect information that you make available to us on social media platforms (such as by clicking on a social media icon linked from our Sites and Services), including your account ID or username and other information included in your posts

When you visit or use our Sites and Services, we and our partners collect information about your online activities over time and across different sites to provide you with advertising about products and services tailored to your individual interests (called “interest-based advertising”). Our partners may place or recognize a unique cookie or other tracking technology on your browser (including the use of pixel tags). Where required by applicable law, we will rely on your consent prior to processing personal information from your device or computer for the purpose of interest-based advertising.

Cookies are small text files that are stored in a devices’ web browser memory. Cookies store information when you use, access or interact with our Sites and Services, such as your IP address or other identifier, your browser type, and information about the content you view and your interactions. Other tracking technologies, such as pixel tags (also known as web beacons and clear GIFs), page tags, and script, may contain small transparent image files or lines of code to, among other things, track the actions of users (such as email recipients), measure the success of our marketing campaigns and compile statistics about usage of our Sites and Services.

We may use cookies and other tracking technologies for any of the following purposes:

  • Site operations, including to enable features on our Sites and Services, such as remembering your preferences, tracking the number of times you have been shown an advertisement, generating aggregate statistics about how people use our Sites and Services, and for error management and troubleshooting
  • Analytics, including to allow us to understand how our Sites and Services are being used, track the performance of our Sites and Services and make improvements
  • Interest-based advertising, including to deliver tailored communications or advertising based on your preferences or interests across services and devices and measure the effectiveness of advertisements
  • Social media, including to enable the sharing of content from our Sites through social networking and other sites

For a list of the third parties that set cookies on our websites, including service providers acting on our behalf, please see our third-party cookie list third-party cookies page.

As a general rule, we do not collect personal information via cookies unless you have given us your permission to do so.  For more information on how to administer your preference, please see the “How to Manage Your Cookies” section below.

Your browser or device may include “Do Not Track” functionality. At this time, Change Healthcare does not respond to browser “Do Not Track” signals.

Most web browsers automatically accept cookies but, if you prefer, you can usually modify your browser setting to disable or reject cookies. If you delete your cookies or if you set your browser to decline cookies, some features of our Sites and Services may not be available, work, or work as designed. You may also be able to opt out of or block tracking by interacting directly with the other companies who conduct tracking through our Services. You can learn more about ad serving companies and the options available to limit their collection and use of your information by visiting the websites for the Network Advertising Initiative, the Digital Advertising Alliance, and the European Interactive Digital Advertising Initiative. Similarly, you can learn about your options to opt out of mobile app tracking by certain advertising networks through your device settings and by resetting the advertiser ID on your Apple or Android device.

Please note that opting out of advertising network services does not mean that you will not receive advertising on our Sites or on other websites, nor will it prevent the receipt of interest-based advertising from other companies that do not participate in these programs. It will, however, exclude you from interest-based advertising conducted through participating networks, as provided by their policies and choice mechanisms. If you delete your cookies, you may also delete your opt-out preferences.

Information We Collect from Other Sources

We may obtain information about you from other sources such as data brokers, credit reporting agencies, social networks, partners with which we offer co-branded services or engage in joint marketing activities, and publicly available sources such as data in the public domain.

We also may receive information about you from outside suppliers through your online activities on websites and connected devices over time and across websites, devices, apps and other online features and services.

These other sources help us update, expand, and analyze our records; identify new customers; determine you or your organization’s advertising or purchasing preferences; or prevent or detect fraud. We combine such information with information we have collected about you through our Sites and Services. We will treat the combined information in accordance with this Privacy Notice.

How We Use Your Information

We use the information we collect about you for the following purposes:

  • To provide you with our Sites and Services, including to book sales appointments, enter into contracts, process payments, fulfil orders, send service communications, send email marketing communications, and conduct general business operations such as accounting, recordkeeping, and audits
  • To provide you with the best service and to improve and grow our business, including to understand how our Sites and Services are being used, conduct data analyses of user experiences and behavior, understand our customer base and purchasing trends, understand the effectiveness of our marketing, and develop new products and services
  • To deliver targeted advertising on our Sites based on your preferences or interests across services and devices and measure the effectiveness of ads
  • To protect and secure our Sites and Services, assets, network, and business operations, and to detect, investigate, and prevent activities that may violate our policies or be fraudulent or illegal, and
  • To comply with legal process, such as warrants, subpoenas, court orders, and lawful regulatory or law enforcement requests and to comply with legal requirements regarding the provision of products and services

Marketing Emails

If at any time you would like to unsubscribe from receiving promotional or commercial emails from us, you can click the unsubscribe link at the bottom of any email or you can unsubscribe by clicking the link here. We will comply with your request(s) as soon as reasonably practicable. Please note that if you opt out of receiving marketing-related emails from us, we may still send you important administrative messages.

How and With Whom We Disclose Your Information

  • With our suppliers: We share your information with suppliers that provide services on our behalf, such as marketing and survey services, payment processors, website and customer experience hosting, data analysis, data storage, customer service, auditing and accounting firms and security suppliers. We contract with suppliers to use or disclose information to perform services on our behalf or to comply with legal requirements. We require our suppliers to contractually commit to protect the security and confidentiality of data they process on our behalf.
  • With other Change Healthcare companies:  We share your information with other Change Healthcare entities to provide our Services and for internal administrative purposes.
  • With app providers in the Change Healthcare marketplace: If you purchase a subscription to an app or content in the Change Healthcare marketplace, we share information regarding your subscription with the app provider.
  • With our advertising partners: We share your information with our advertising partners.
  • With social media platforms: Where you choose to interact with us through social media, your interaction with these programs typically allows the social media company to collect some information about you through cookies they place on your device and other tracking mechanisms. In some cases, the social media company may recognize you through its digital cookies even when you do not interact with their application. Please visit the social media companies’ respective privacy policies to better understand their data collection practices and controls they make available to you.
  • Where required or permitted by law or in the context of an audit or other review: We share information with law enforcement agencies, courts, or other government authorities where we believe it is necessary to comply with a legal or regulatory obligation; to protect the rights, safety, and property of Change Healthcare, you or others; or to respond to requests from courts, law enforcement agencies, regulatory agencies and other public and government authorities.
  • In the context of a change of ownership or corporate organization: We may transfer to another entity or its affiliates or service providers some or all information about you in connection with, or during negotiations of, any merger, acquisition, sale of assets or any line of business, change in ownership control, or financing transaction. We cannot promise that an acquiring party or the merged entity will have the same privacy practices or treat your information the same as described in this Policy.

Children’s Information 

Our Sites and Services are intended for users age thirteen and over. We do not knowingly collect information from children. If we discover that we have inadvertently collected information from anyone younger than the age of 16, we will delete that information.

Personal Information Security and Storage

We implement and maintain organizational, technical, and administrative security measures designed to safeguard the information we process within our organization against unauthorized access, destruction, loss, alteration, or misuse. These measures are aimed at providing on-going integrity and confidentiality for your personal information. We evaluate and update these measures on an ongoing basis. Your information is only accessible to personnel who need access to the information to perform their duties. However, while we take precautions to safeguard your information, we cannot guarantee the security of the networks, systems, servers, devices, and databases we operate or that are operated on our behalf.

We retain your personal information for as long as we have a relationship with you, subject to applicable law and regulation. When deciding how long to keep your personal information, we consider our legal and regulatory obligations and internal personal information management policies. For example, we retain records to investigate or defend against potential legal claims or where required by law. Where we retain data, we do so in accordance with any limitation periods and records retention obligations that are imposed by applicable law. 

International Data Transfers

Your information may be transferred to, stored, and processed in a country that does not provide the same level of protection for personal information as the laws of your home country and may be available to the government of those countries under a lawful court order made in those countries. We have put in place appropriate safeguards in accordance with applicable legal requirements to provide adequate protections for your personal information and we comply with  applicable laws on the transfer of personal information between countries, privacy, data protection and cybersecurity laws where we transact business to help protect your personal information.

Change Healthcare relies on approved Standard Contractual Clauses for the international transfer of personal information collected in the European Economic Area.  Change Healthcare also abides by the principles of the EU-U.S and Swiss-U.S Privacy Shield Framework, as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the EU or Switzerland to the United States, although Change Healthcare does not rely on the EU-U.S and Swiss-U.S Privacy Shield Framework as a legal basis for transfers of Personal Data in light of the judgment of the Court of Justice or the EU in Case C-311/18. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/  If you have questions or concerns about our privacy certifications, contact our third-party dispute resolution provider.

Rights of Individuals Located Outside the United States

If you are located in certain countries outside the US, you have specific privacy rights under applicable law with respect to your personal information.

We will rely on the following legal bases for processing your personal information, depending on our purpose for such processing.

  • Consent. We will obtain your consent before using or sharing your data for advertising that is targeted based on your browsing history, online behavior, or other personal information that we or others have collected about you. If you consent to our use of your personal information for any purpose, you have the right to withdraw consent at any time by contacting us
  • Legitimate Interests. Change Healthcare has a legitimate interest in processing your personal information for certain business and security purposes such as product and service improvement; fraud detection and prevention; network and system security; and non-targeted marketing and advertising. Change Healthcare also has a legitimate interest in processing your personal information for compliance with applicable law
  • Compliance with Legal Obligations. We will process your personal information where necessary to comply with our obligations under applicable privacy and data protection law

If we intend to use your personal information that we have collected for a different purpose other than the purpose disclosed to you, we will provide you with information about the secondary purpose and with any other information necessary to ensure fair and transparent processing prior to such use.

You may have the following rights with regard to the personal information we control about you, subject to applicable exceptions, under local data protection laws:

  • The right to request confirmation of whether Change Healthcare processes personal information relating to you, and if so, to request a copy of that personal information
  • The right to request that Change Healthcare correct or update your personal information that is inaccurate, incomplete, or outdated
  • The right to request that Change Healthcare delete your personal information in certain circumstances provided by law
  •  The right to request that Change Healthcare restrict the use of your personal information in certain circumstances, such as while Change Healthcare considers another request that you have submitted (including a request that Change Healthcare make an update to your personal information)
  • The right to request that Change Healthcare export your personal information in a usable electronic format to another company, where technically feasible
  • The right to object to processing of your personal information based on Change Healthcare’s legitimate interests at any time, upon which Change Healthcare will no longer process the data, unless there are compelling legitimate grounds for our processing that override the interests, rights, and freedoms of the data subject, or the processing serves the purpose of asserting, exercising, or defending legal claims, and
  • The right to withdraw consent at any time, where Change Healthcare is processing your personal information based on your consent

You have the right to make a complaint with your local data protection authority if you believe that the processing of your personal information infringes your rights under applicable privacy and data protection laws. Contact details for EEA data protection authorities are available here.

In order to exercise your data protection rights, you may contact Change Healthcare as described in the How to Contact Us section below or submit a request by filling out a Consumer Data Request Form available here. In order to verify your identity, we may require you to provide us with personal information prior to accessing any records containing personal information about you.

Special Information for Nevada Residents 

Residents of the State of Nevada in the United States have the right to opt out of the sale of certain pieces of their information to other companies who will sell or license their information to others. If you are a Nevada resident and would like more information about our data sharing practices, please email us at ChiefPrivacyOfficer@ChangeHealthcare.com

Your California Privacy Rights

Residents of the State of California have the right to request information from Change Healthcare regarding other companies to whom the company has disclosed certain categories of information during the preceding year for the other companies’ direct marketing purposes. If you are a California resident and would like to make such a request, please submit the Consumer Data Request Form available here.

The California Consumer Privacy Act provides California residents with rights to receive certain disclosures regarding the collection, use, and sharing of “Personal Information,” as well as rights to know/access, delete, and limit sharing of Personal Information. The CCPA defines “Personal Information” to mean “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Certain information we collect may be exempt from the CCPA because it is considered public information (i.e., it is made available by a government entity) or covered by a specific federal privacy law, such as the Gramm–Leach–Bliley Act, the Health Insurance Portability and Accountability Act (HIPAA), or the Fair Credit Reporting Act.

To the extent that we collect Personal Information that is subject to the CCPA, that information, our practices, and your rights are described below.

Right to Information Regarding the Categories of Personal Information Collected, Sold, and Disclosed.

The following is a description of our data collection practices, including the Personal Information we collect, the sources of that information, the purposes for which we collect information, and whether we disclose that information to external parties. We may use any and all of the information for any of the purposes described in this privacy notice, unless limitations are listed. The categories we use to describe the information are those enumerated in the CCPA.

  • Personal Identifiers:
    • We collect your name, phone number, email address, mailing address, and contact address when you create an account or contact us via the site. If you choose to create an account, you will also be asked to create a username, and we will assign one or more unique identifiers to your profile. We use this information to provide our services, respond to your requests, and send information and advertisements to you
    • We collect a unique numerical identifier, assigned to you by a cookie, automatically when you use the Sites and Services in order to identify you, provide our Services, keep you logged in to our Sites, prevent fraud, and provide you with targeted information and offers
    • We, or a service provider working on our behalf, collect your payment information when you provide it in order to complete a transaction. This information includes your credit card number or bank account number. We use this information to facilitate payments and transactions
    • We do not collect your Driver’s License number, passport number, or social security number
    • We collect your IP address and Device ID automatically when you use our Sites and Services. We use this information to identify you, gauge online activity on our website, measure the effectiveness of online services, applications, and tools, and provide you with targeted advertisements and offers based on your online activities
  • Protected Classifications: We do not collect your age, gender, racial or ethnic origin, or sexual orientation
  • Commercial Information: When you engage in transactions with us, we create records of transactions. We may use this information to measure the effectiveness of our services and to provide you with targeted information, advertisements, and offers
  • Biometric Information: We do not collect information about your physiological, biological, or behavioral characteristics
  • Internet or Other Electronic Network Activity Information: When you navigate to and use our site, we collect information such as your Internet domain, the domain of your Internet service provider, the date and time that you access the site, the Internet address of the website from which you linked directly to the site, and the pages you visit on our sites
  • Geolocation Data: As described above, we collect your IP address automatically when you visit our sites. We can determine your general location based on your IP address
  • Audio, electronic, visual, thermal, olfactory, or similar information: We do not collect your audio, electronic, visual, thermal, olfactory, or similar information
  • Professional or employment-related information: We collect your business contact information when you contact us regarding our products and services or when you interact with us at trade shows. We otherwise do not collect your professional or employment-related information
  • Education information: We do not collect any information about the institutions you have attended or the level of education you have attained
  • Inferences drawn to create a profile about a consumer reflecting the consumer’s preferences or characteristics: We analyze your actual or likely preferences through a series of computer processes and add our observations to your internal profile. We use this information to gauge and develop our marketing activities, to measure the appeal and effectiveness of our services, applications, and tools, and to provide you with targeted information, advertisements, and offers.

We may use any of the categories of information listed above for other business or operational purposes compatible with the context in which the Personal Information was collected.

We may share any of the above-listed information with service providers, which are external parties that we engage for business purposes and are restricted from using personal information for any purpose that is not related to our engagement. The categories of service providers with whom we share information and the services they provide are described in this Global Privacy Notice.

On certain occasions, we may sell information to third parties. An external party may be considered a third party either because the purpose of sharing the Personal Information is not an enumerated business purpose under California law, or because our contract does not restrict them from using Personal Information for other purposes. To “sell” information means to disclose it to an external party for monetary or other benefit. We sell the following information:

  • Personal Identifiers. We provide your IP address and device ID to our suppliers and online advertising partners.
  • Internet or Other Electronic Network Activity Information. We provide information about your Internet or other electronic network activity information to our suppliers and online advertising partners.
  • Inferences drawn to create a profile about a consumer reflecting the consumer’s preferences or characteristics. We provide our observations about you to our suppliers and online advertising partners.

We also will disclose information to external parties who are not listed here when required by law or to protect our company or for other purposes, as described in this Global Privacy Notice.

Access to Deidentified Information. We license access to deidentified health information that is derived from Protected Health Information, as defined by the Health Insurance Portability and Accountability Act. All such information is deidentified according to the safe-harbor or expert determination requirements of HIPAA.

Right to Access Information. You have the right to request access to Personal Information collected about you and information regarding the source of that information, the purposes for which we collect it, and the third parties and service providers with whom we share it. To protect our customers’ Personal Information, we will verify your identity before we act on your request.

Right to Request Deletion of Information. You have the right to request in certain circumstances that we delete any Personal Information that we have collected directly from you. To protect our customers’ Personal Information, we will verify your identity before we act on your request. We may have a reason under the law why we do not have to comply with your request or why we may comply with it in a more limited way than you anticipated. If we do, we will explain that to you in our response.

Right to Information Regarding Participation in Data Sharing for Financial Incentives

We offer online resources whereby we incentivize you to share certain pieces of information with us. Participation is voluntary and you may opt out of the data sharing at any time.

Right to Opt Out of the Sale of Personal Information to Third Parties. You have the right to opt out of any sale of your Personal Information to third parties. To exercise this right, please visit our “Do Not Sell My Personal Information” webpage here. Please note that your right to opt out does not apply to our sharing of Personal Information with service providers, who are parties we engage to perform a function on our behalf and are contractually obligated to use the Personal Information only for that function.

How to Submit a Request. You may submit a request to exercise your rights through either of two means: (1) By filling out a Consumer Data Request Form available here  or (2) By calling us at 1-844-698-8905.

Changes to this Privacy Notice

We will periodically update this Global Privacy Notice, and we will post notice of any material changes to the Global Privacy Notice on this website in advance of making those changes. The “Effective Date” at the top of this page indicates when this Global Privacy Notice was last revised.

How to Contact Us

If you have questions, requests, or complaints related to your privacy, please contact ChiefPrivacyOfficer@ChangeHealthcare.com. If you would like to exercise data protection rights afforded by certain privacy regulations, please  contact our Data Protection Officer at DataProtectionOfficer@changehealthcare.com or by physical mail addressed to the attention of the Data Protection Officer at any of the following addresses: 

Residents of the UK

Change Healthcare UK Holdings Limited, Unit 3

The Exchange, Brent Cross Gardens, Brent Cross Greater

London, NW4 3RJ, UK

Residents of the EEA

Change Healthcare Ireland Solutions Ltd, 1

Woodford Business Park, Santry,

Dublin 17, D17 EW81, Ireland

Global Mailing Address:

Change Healthcare

Attn.: Data Protection Officer, Privacy Office

5995 Windward Parkway, 5th Floor

Alpharetta, Georgia 30005

United States