Effective Date: March 2021
Privacy matters to Change Healthcare, so we follow a privacy framework that helps us to manage and protect your information in our products, services and websites. Whether you are new to Change Healthcare or a long-time user, please take the time to get to know our practices – and if you have any questions contact us. This Global Privacy Notice (“Notice”) describes how Change Healthcare collects, uses, and shares the information you provide where we display this notice, including, among others, www.changehealthcare.com, www.changehealthcare.co.uk, www.changehealthcare.ie, and www.changehealthcare.com.au (our “Sites”) and in the services that we provide (collectively, “Sites and Services”). This Notice describes your rights and choices, and how you can contact us about our privacy practices. Our privacy practices may vary among the countries or territories where we operate to reflect local legal requirements.
Change Healthcare Sites and Services may contain links to third-party websites, products, and services. Our app marketplace, for instance, offers products and services from third parties as well as from Change Healthcare. This Notice does not apply to third party websites and mobile applications, products, or services that may link to or are linked from our Sites and Services or services we offer as a Business Associate on behalf of health care organizations. Please consult those websites and applications directly to understand their privacy practices.
Change Healthcare collects, processes, and retains information from you when you interact with our Sites and Services.
We collect the following information from you:
We automatically collect certain information through browser cookies and other tracking technologies when you access, use, or interact with our Sites and Services, including:
When you visit or use our Sites and Services, we and our partners collect information about your online activities over time and across different sites to provide you with advertising about products and services tailored to your individual interests (called “interest-based advertising”). Our partners may place or recognize a unique cookie or other tracking technology on your browser (including the use of pixel tags). Where required by applicable law, we will rely on your consent prior to processing personal information from your device or computer for the purpose of interest-based advertising.
Cookies are small text files that are stored in a devices’ web browser memory. Cookies store information when you use, access or interact with our Sites and Services, such as your IP address or other identifier, your browser type, and information about the content you view and your interactions. Other tracking technologies, such as pixel tags (also known as web beacons and clear GIFs), page tags, and script, may contain small transparent image files or lines of code to, among other things, track the actions of users (such as email recipients), measure the success of our marketing campaigns and compile statistics about usage of our Sites and Services.
For a list of the third parties that set cookies on our websites, including service providers acting on our behalf, please see our third-party cookie list third-party cookies page.
As a general rule, we do not collect personal information via cookies unless you have given us your permission to do so. For more information on how to administer your preference, please see the “How to Manage Your Cookies” section below.
Your browser or device may include “Do Not Track” functionality. At this time, Change Healthcare does not respond to browser “Do Not Track” signals.
Most web browsers automatically accept cookies but, if you prefer, you can usually modify your browser setting to disable or reject cookies. If you delete your cookies or if you set your browser to decline cookies, some features of our Sites and Services may not be available, work, or work as designed. You may also be able to opt out of or block tracking by interacting directly with the other companies who conduct tracking through our Services. You can learn more about ad serving companies and the options available to limit their collection and use of your information by visiting the websites for the Network Advertising Initiative, the Digital Advertising Alliance, and the European Interactive Digital Advertising Initiative. Similarly, you can learn about your options to opt out of mobile app tracking by certain advertising networks through your device settings and by resetting the advertiser ID on your Apple or Android device.
Please note that opting out of advertising network services does not mean that you will not receive advertising on our Sites or on other websites, nor will it prevent the receipt of interest-based advertising from other companies that do not participate in these programs. It will, however, exclude you from interest-based advertising conducted through participating networks, as provided by their policies and choice mechanisms. If you delete your cookies, you may also delete your opt-out preferences.
We may obtain information about you from other sources such as data brokers, credit reporting agencies, social networks, partners with which we offer co-branded services or engage in joint marketing activities, and publicly available sources such as data in the public domain.
We also may receive information about you from outside suppliers through your online activities on websites and connected devices over time and across websites, devices, apps and other online features and services.
These other sources help us update, expand, and analyze our records; identify new customers; determine you or your organization’s advertising or purchasing preferences; or prevent or detect fraud. We combine such information with information we have collected about you through our Sites and Services. We will treat the combined information in accordance with this Privacy Notice.
We use the information we collect about you for the following purposes:
If at any time you would like to unsubscribe from receiving promotional or commercial emails from us, you can click the unsubscribe link at the bottom of any email or you can unsubscribe by clicking the link here. We will comply with your request(s) as soon as reasonably practicable. Please note that if you opt out of receiving marketing-related emails from us, we may still send you important administrative messages.
Our Sites and Services are intended for users age thirteen and over. We do not knowingly collect information from children. If we discover that we have inadvertently collected information from anyone younger than the age of 16, we will delete that information.
We implement and maintain organizational, technical, and administrative security measures designed to safeguard the information we process within our organization against unauthorized access, destruction, loss, alteration, or misuse. These measures are aimed at providing on-going integrity and confidentiality for your personal information. We evaluate and update these measures on an ongoing basis. Your information is only accessible to personnel who need access to the information to perform their duties. However, while we take precautions to safeguard your information, we cannot guarantee the security of the networks, systems, servers, devices, and databases we operate or that are operated on our behalf.
We retain your personal information for as long as we have a relationship with you, subject to applicable law and regulation. When deciding how long to keep your personal information, we consider our legal and regulatory obligations and internal personal information management policies. For example, we retain records to investigate or defend against potential legal claims or where required by law. Where we retain data, we do so in accordance with any limitation periods and records retention obligations that are imposed by applicable law.
Your information may be transferred to, stored, and processed in a country that does not provide the same level of protection for personal information as the laws of your home country and may be available to the government of those countries under a lawful court order made in those countries. We have put in place appropriate safeguards in accordance with applicable legal requirements to provide adequate protections for your personal information and we comply with applicable laws on the transfer of personal information between countries, privacy, data protection and cybersecurity laws where we transact business to help protect your personal information.
Change Healthcare relies on approved Standard Contractual Clauses for the international transfer of personal information collected in the European Economic Area. Change Healthcare also abides by the principles of the EU-U.S and Swiss-U.S Privacy Shield Framework, as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the EU or Switzerland to the United States, although Change Healthcare does not rely on the EU-U.S and Swiss-U.S Privacy Shield Framework as a legal basis for transfers of Personal Data in light of the judgment of the Court of Justice or the EU in Case C-311/18. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/ If you have questions or concerns about our privacy certifications, contact our third-party dispute resolution provider.
If you are located in certain countries outside the US, you have specific privacy rights under applicable law with respect to your personal information.
We will rely on the following legal bases for processing your personal information, depending on our purpose for such processing.
If we intend to use your personal information that we have collected for a different purpose other than the purpose disclosed to you, we will provide you with information about the secondary purpose and with any other information necessary to ensure fair and transparent processing prior to such use.
You may have the following rights with regard to the personal information we control about you, subject to applicable exceptions, under local data protection laws:
You have the right to make a complaint with your local data protection authority if you believe that the processing of your personal information infringes your rights under applicable privacy and data protection laws. Contact details for EEA data protection authorities are available here.
In order to exercise your data protection rights, you may contact Change Healthcare as described in the How to Contact Us section below or submit a request by filling out a Consumer Data Request Form available here. In order to verify your identity, we may require you to provide us with personal information prior to accessing any records containing personal information about you.
Residents of the State of Nevada in the United States have the right to opt out of the sale of certain pieces of their information to other companies who will sell or license their information to others. If you are a Nevada resident and would like more information about our data sharing practices, please email us at ChiefPrivacyOfficer@ChangeHealthcare.com
Residents of the State of California have the right to request information from Change Healthcare regarding other companies to whom the company has disclosed certain categories of information during the preceding year for the other companies’ direct marketing purposes. If you are a California resident and would like to make such a request, please submit the Consumer Data Request Form available here.
The California Consumer Privacy Act provides California residents with rights to receive certain disclosures regarding the collection, use, and sharing of “Personal Information,” as well as rights to know/access, delete, and limit sharing of Personal Information. The CCPA defines “Personal Information” to mean “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Certain information we collect may be exempt from the CCPA because it is considered public information (i.e., it is made available by a government entity) or covered by a specific federal privacy law, such as the Gramm–Leach–Bliley Act, the Health Insurance Portability and Accountability Act (HIPAA), or the Fair Credit Reporting Act.
To the extent that we collect Personal Information that is subject to the CCPA, that information, our practices, and your rights are described below.
Right to Information Regarding the Categories of Personal Information Collected, Sold, and Disclosed.
The following is a description of our data collection practices, including the Personal Information we collect, the sources of that information, the purposes for which we collect information, and whether we disclose that information to external parties. We may use any and all of the information for any of the purposes described in this privacy notice, unless limitations are listed. The categories we use to describe the information are those enumerated in the CCPA.
We may use any of the categories of information listed above for other business or operational purposes compatible with the context in which the Personal Information was collected.
We may share any of the above-listed information with service providers, which are external parties that we engage for business purposes and are restricted from using personal information for any purpose that is not related to our engagement. The categories of service providers with whom we share information and the services they provide are described in this Global Privacy Notice.
On certain occasions, we may sell information to third parties. An external party may be considered a third party either because the purpose of sharing the Personal Information is not an enumerated business purpose under California law, or because our contract does not restrict them from using Personal Information for other purposes. To “sell” information means to disclose it to an external party for monetary or other benefit. We sell the following information:
We also will disclose information to external parties who are not listed here when required by law or to protect our company or for other purposes, as described in this Global Privacy Notice.
Access to Deidentified Information. We license access to deidentified health information that is derived from Protected Health Information, as defined by the Health Insurance Portability and Accountability Act. All such information is deidentified according to the safe-harbor or expert determination requirements of HIPAA.
Right to Access Information. You have the right to request access to Personal Information collected about you and information regarding the source of that information, the purposes for which we collect it, and the third parties and service providers with whom we share it. To protect our customers’ Personal Information, we will verify your identity before we act on your request.
Right to Request Deletion of Information. You have the right to request in certain circumstances that we delete any Personal Information that we have collected directly from you. To protect our customers’ Personal Information, we will verify your identity before we act on your request. We may have a reason under the law why we do not have to comply with your request or why we may comply with it in a more limited way than you anticipated. If we do, we will explain that to you in our response.
Right to Information Regarding Participation in Data Sharing for Financial Incentives
We offer online resources whereby we incentivize you to share certain pieces of information with us. Participation is voluntary and you may opt out of the data sharing at any time.
Right to Opt Out of the Sale of Personal Information to Third Parties. You have the right to opt out of any sale of your Personal Information to third parties. To exercise this right, please visit our “Do Not Sell My Personal Information” webpage here. Please note that your right to opt out does not apply to our sharing of Personal Information with service providers, who are parties we engage to perform a function on our behalf and are contractually obligated to use the Personal Information only for that function.
How to Submit a Request. You may submit a request to exercise your rights through either of two means: (1) By filling out a Consumer Data Request Form available here or (2) By calling us at 1-844-698-8905.
Changes to this Privacy Notice
We will periodically update this Global Privacy Notice, and we will post notice of any material changes to the Global Privacy Notice on this website in advance of making those changes. The “Effective Date” at the top of this page indicates when this Global Privacy Notice was last revised.
If you have questions, requests, or complaints related to your privacy, please contact ChiefPrivacyOfficer@ChangeHealthcare.com. If you would like to exercise data protection rights afforded by certain privacy regulations, please contact our Data Protection Officer at DataProtectionOfficer@changehealthcare.com or by physical mail addressed to the attention of the Data Protection Officer at any of the following addresses:
Residents of the UK
Change Healthcare UK Holdings Limited, Unit 3
The Exchange, Brent Cross Gardens, Brent Cross Greater
London, NW4 3RJ, UK
Residents of the EEA
Change Healthcare Ireland Solutions Ltd, 1
Woodford Business Park, Santry,
Dublin 17, D17 EW81, Ireland
Global Mailing Address:
Attn.: Data Protection Officer, Privacy Office
5995 Windward Parkway, 5th Floor
Alpharetta, Georgia 30005