Privacy Policy
CareMetx Privacy Policy, Effective Date of January 1, 2020, Updated March 1, 2025.
General Privacy Policy
CareMetx, LLC and all of its affiliates and subsidiaries (collectively referred to as, “CareMetx”), are committed to protecting the privacy of your information collected by CareMetx systems, websites, portals, and other interfaces (individually and collectively referred to as “Systems”).
This Privacy Policy (the “Policy”) describes CareMetx’s privacy practices and how CareMetx uses the information you provide when using, accessing, or sharing information with any CareMetx Systems. By using CareMetx Systems, you agree to and consent to the collection, disclosure, and use of your information as described in the Policy. CareMetx is also referred to in this Policy as “We” and “Us.”
If you do not want Us to use your information as described in this Policy, please do not use CareMetx Systems. Additionally, you may opt out of use of your information by contacting CareMetx as described in Section 10 of the Policy, subject to applicable law and the terms hereof.
No Sale of Personal Information
CareMetx does not sell your information and will only use it as necessary for the Services (as defined in the next section) for which it is collected, or as otherwise described in this Policy.
- About Us
CareMetx operates and manages its Systems to perform the services, provide the products, or to manage and support the program (referred to generally and collectively as, the “Services”) which you are accessing. Before We share any information, you provide, We will endeavor to ensure that you understand who will receive your information and why they are requesting it. If you do not want to share your information in the way described, you may decline to complete any agreement or authorization process or opt-out of participation, as applicable to the Services. You understand that if you do not agree or authorize the disclosure(s) necessary for the operation of a Service, you may not be able to participate.
CareMetx Systems may provide you with links to websites of other organizations and companies (collectively, “Third-Party Sites”). Third Party Sites may offer you materials and services as well as links to other sites. CareMetx does not accept, and hereby disclaims, any responsibility or liability for any use of personal data collected or which otherwise may arise from any use or access of any Third-Party Sites. We strongly recommend that you read the privacy policies and any other terms and conditions before using or submitting any personal information or other data to any Third-Party Sites.
- Use of Information Collected
We use the information you provide to Us to perform the Services offered through the Systems, and as otherwise necessary or required for maintenance and delivery of the Services. Additionally, we may use Website Navigational Information and other Customer Data (each defined below) to operate and improve the Systems and Services, as permitted by applicable law. CareMetx may de-identify, anonymize, and/or aggregate information collected in accordance with applicable law.
- Information Collected
We collect information from individuals who visit the Systems (“Visitors”) and individuals who subscribe to, use, or access the Services (“Customers”). In order to be able to use the Services, Customers may have to electronically submit data or information (“Customer Data”). When signing up to use the Services, We may ask Customers for certain identifying information so that We can verify the Customer’s identity. The Customer Data that We may ask for may include, but is not necessarily limited to, name, birth date, address, practice name, specialty, address, email address, fax number, NPI number, DEA number, and Tax ID number. We may also request that you provide Us with a verification code that We send to you via email or other means. In some cases, We may request additional information to help verify your identity. If you choose to complete any agreement or attestation through any CareMetx Systems, We may request that you submit an electronic signature. When expressing an interest in obtaining additional information about the Services, We may require you to provide Us with personal contact information, such as name, address, phone number, email address, and other similar information, as necessary and applicable (“Required Contact Information”). As you navigate CareMetx Systems, We may also collect information through the use of commonly used information-gathering tools, such as cookies and similar tools and applications (“Website Navigational Information”). Website Navigational Information includes standard information from your web browser, such as browser type and browser language, your Internet Protocol (“IP”) address, and the actions you take on CareMetx Systems, which may include, but is not necessarily limited to, pages viewed, and the links clicked). More specific information about the types of Website Navigational Information collected by CareMetx is laid out in the next section.
- Website Navigational Information
This section describes the types of Website Navigational Information that may be collected by CareMetx’s websites and portals (collectively referred to as, the “Site”) as well as applicable Services, and how this information may be used.
Cookies
We may use cookies to make interactions with the Site easy and meaningful. When you visit the Site, one of CareMetx’s servers may send a cookie to your computer. Standing alone, cookies do not personally identify you. They merely recognize your web browser. We use cookies that are session-based and persistent. Session cookies exist only during one session. They disappear from your computer when you close your browser software or turn off your computer. Persistent cookies remain on your computer after you close your browser or turn off your computer. If you have chosen to identify yourself to Us, then We use session cookies containing encrypted information to allow Us to uniquely identify you. Each time you log into the Services, a session cookie containing an encrypted unique identifier that is tied to your account is placed your browser. These session cookies allow Us to uniquely identify you when you are logged into the Services and to process your online transactions and requests. Session cookies are required to use the Services. We use persistent cookies that we can read and use to identify browsers that have previously visited the Site. If you disable your web browser’s ability to accept cookies, you will be able to navigate the Site, but you may not be able to successfully use the Services. We may use information from session and persistent cookies in combination with Customer Data and other collected information to provide you with information and to operate the Services.
IP Addresses
When you visit a Site, we collect your IP addresses to track and aggregate non-personal information. For example, We use IP addresses to monitor the regions from which Customers and Visitors navigate the Site(s). We also collect IP addresses from Customers when they log into the Services as part of CareMetx’s security features.
Third Party Cookies
From time-to-time, We may engage third parties to track and analyze usage and volume statistical information from individuals who visit CareMetx’s Site(s). This information does not contain personal information or Customer Data.
- How We Share Information Collected
We may share Customer Data with CareMetx’s service providers: (i) to ensure the quality of information provided; (ii) where required by a program; or (iii) to perform the Services, as applicable. If you agree/authorize the sharing of your information, We will share your information with the party or parties described in that agreement/authorization.
We reserve the right to use or disclose information provided if required by law or if We reasonably believe that use or disclosure is necessary to protect CareMetx’s rights and/or to comply with a judicial proceeding, court order, or legal process. We may share information We collect to another entity as part of a sale, merger, or reorganization. If you do not wish Us to share personally identifiable information you provide as described herein, or if you wish to examine or update any personal information you may have provided to Us, you may contact Us in accordance with Section 10 below.
- Customer Data
Customers may electronically submit Customer Data to the Services for hosting and processing purposes. Such Customer Data will be used for the performance of Services or as required by the applicable program.
- Security
CareMetx implements a NIST CSF aligned and SOC2 Type 2 Audited security program, and a defense-in-depth control strategy. This includes but is not limited to:
- Policies and procedures governing CareMetx’s security program;
- Encryption of all sensitive or regulated communications with TLS in transit and AES at rest;
- Strong access controls on all sensitive or regulated systems. All infrastructure is hardened and tested via vulnerability scanning and penetration testing;
- Risk management policies and procedures including internal and external security testing and risk assessments; and
- Additional controls including but not limited to firewalls, WAF, IDS, and anti-malware.
This notwithstanding, nothing in this Policy constitutes a guarantee of security. Customers and Visitors are responsible for maintaining the security and confidentiality of any verification codes that they may receive and of the systems and devices they use to access any Systems, Services or Sites.
- Collection of Information from Minors
In accordance with the U.S. Children’s Online Privacy Protection Act of 1998, you are notified that We do not knowingly collect identifiable information from anyone under the age of 13 through the Site, nor is the Site intended for users younger than 13 years of age. If you are under 13, please do not use the Site or otherwise provide any information that would allow Us to identify you. We encourage parents and legal guardians to monitor their children’s internet usage and to help enforce this Policy by instructing their children to never provide identifying information to the Site(s). Please contact Us in accordance with Section 10 if you discover an individual under 13 has submitted that their information contrary to this Policy.
- Changes to this Privacy Policy
We reserve the right to change this Policy, and when updated, the effective date of the new version will be at the top of this policy.
- Compliance with Privacy Laws
Some jurisdictions have specific laws and regulations (collectively, “Privacy Laws”) related to consumer privacy and the collection of Personal Information (as defined below). CareMetx’s policy is to comply with all Privacy Laws, whether federal, state, or local, as applicable to CareMetx, including, without limitation, the California Business and Professions Code §22575-22579, the California Consumer Privacy Act of 2018, the California Privacy Rights Act, California Civil Code § 1798.83, known as the “Shine the Light” law, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Delaware Personal Data Privacy Act, the Indiana Consumer Data Protection Act, the Iowa Consumer Data Protection Act, the Kentucky Consumer Data Protection Act, the Maryland Online Data Privacy Act, the Minnesota Consumer Data Privacy Act, the Montana Consumer Data Privacy Act, the New Hampshire Data Privacy Act, the New Jersey Disclosure and Accountability Transparency Act, the Tennessee Information Protection Act, the Utah Consumer Privacy Act, the Virginia Consumer Data Protection Act, all regulations related to the foregoing, and any other similar laws or regulations enacted that apply to CareMetx or to the Services.
Accordingly, you may request certain information regarding our disclosure of Personal Information to any third parties or with any questions or requests to exercise your rights under applicable State Privacy Laws, as further described below.
Personal Information We Collect
We collect information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device, or otherwise to an identifiable natural person or individual (referred to generally as, “Personal Information”). In particular, We have collected the following categories of Personal Information within the last twelve (12) months:
- Personal identifiers such as name, alias, address, unique personal identifiers, online identifiers, email address, account name, Social Security number, age, data of birth, gender, telephone number, fax number, driver’s license or state identification card number, insurance policy number, member number, education, employment, employment history, user names and logins, or other financial information, medical information, or health insurance information.
- Professional information such as NPI number, DEA number, and Tax ID number.
- Internet or other similar network activity such as browsing history, search history, geolocation data, IP address, information on a consumer’s interaction with a website, application, or advertisement.
- Audio and video recordings.
- Inferences from all of the above.
Personal information does not include:
- Publicly available information from government records.
- De-identified, anonymized, or aggregated information.
- Any information excluded from the scope of any applicable Privacy Laws, such as, but not limited to, Protected Health Information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), information covered by the California Confidentiality of Medical Information Act (CMIA) or clinical trial data, and Financial Information covered by the Gramm-Leach-Bliley Act, and implementing regulations.
We obtain the categories of personal information listed above from the following categories of sources:
- Directly and indirectly from activity on our Site and Systems or use and access of any Services. For example, from submissions through our website portals or websites usage details collected automatically.
- Indirectly from you when you visit and interact with our Site, Systems or Services.
- Directly from you when you submit information to Us when using our Services or otherwise. For example, if you submit a form, or provide Us with information over the telephone, that contains your Personal Information in connection to your use of our Services.
Use of Personal Information
We may use or disclose the Personal Information We collect for one or more of the following business purposes:
- To provide you with information, products, or services (including, without limitation, any Services) that you request from Us.
- To provide you with email alerts, event registrations and other notices concerning our products or services, or events or news, that may be of interest to you.
- To improve our Site and present its contents to you.
- For testing, research, analysis, product development, as well as creation or improvement of any products or services (including, without limitation, the Services).
- As necessary or appropriate to protect the rights, property, or safety of CareMetx, CareMetx’s clients, or others.
- To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations.
- As described to you when collecting your personal Information or as otherwise permitted under applicable Privacy Laws.
- To evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets.
- As part of bankruptcy, liquidation, or similar proceeding.
We will not collect additional categories of Personal Information or use the Personal Information We collected for materially different, unrelated, or incompatible purposes without providing you notice.
Disclosure of Personal Information
We may disclose your personal information to a third party for business purposes. When We disclose personal information for a business purpose, We enter a contract that describes the purpose and requires the recipient to both keep that personal information confidential and not use it for any purpose except performing the contract.
In the preceding twelve (12) months, We may have disclosed the following categories of personal information for a business purpose:
- Personal identifiers such as name, alias, address, unique personal identifiers, online identifiers, email address, account name, Social Security number, age, data of birth, gender, telephone number, fax number, driver’s license or state identification card number, insurance policy number, member number, education, employment, employment history, user names and logins, or other financial information, medical information, or health insurance information.
- Professional information such as NPI number, DEA number, and Tax ID number.
- Internet or other similar network activity such as browsing history, search history, geolocation data, IP address, information on a consumer’s interaction with a website, application, or advertisement.
- Audio and video recordings.
- Inferences from any of the above.
We may disclose your personal information for a business purpose to the following categories of third parties:
- Pharmaceutical companies that manufacture the medication you are taking and/or sponsor the program you are enrolled in and/or Services you access.
- Healthcare providers and practices, pharmacies, and members of their respective workforces, as applicable to the program and/or Services.
- Contracted third party service providers for the purposes permitted under this Policy.
Your Rights and Choices
State Privacy Laws provide consumers with specific rights regarding their Personal Information. This section describes your rights and explains how to exercise those rights.
Access to Specific Information and Data Portability Rights
You have the right to request that We disclose certain information to you about CareMetx’s collection and use of your Personal Information over the past 12 months. Once We receive and confirm your verifiable consumer request, We will disclose to you any of the following, as requested:
- The categories of Personal Information We collected about you.
- Where required by applicable Privacy Laws, any categories of Personal Information We collect about you designated as sensitive under those applicable Privacy Laws.
- The categories of sources for the Personal Information We collected about you.
- Our business or commercial purpose for collecting that Personal Information.
- The categories of third parties with whom We share that Personal Information.
- The specific pieces of personal information We collected about you.
- If we disclosed your personal information and, if so, the personal information categories that each category of recipient received.
Deletion Request Rights
You have the right to request that We delete any of your Personal Information that We collected from you and retained, subject to certain exceptions. Once We receive, confirm, and verify your request, We will delete (and direct our service providers to delete) your Personal Information from our records, unless an exception applies under applicable Privacy Laws.
We may deny your deletion request if retaining the information is necessary for CareMetx or our service providers to:
- Comply with legal obligations.
- Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
- Debug products to identify and repair errors that impair existing intended functionality.
- Make other internal and lawful uses of that information that are compatible with the context in which you provided it.
- Other reasons permitted by applicable Privacy Laws.
Response Timing and Format
CareMetx endeavors to respond to a verifiable consumer request within 45 days of its receipt. If more time is required, We will inform you of the reason and extension period in writing, which may be as long as an additional 45 days (or a total response time of up to 90 days). If you have an account with CareMetx, We will deliver our written response to that account. If you do not have an account, We will deliver our written response by mail or electronically, at your option. Any disclosures We provide will only cover the 12-month period preceding receipt of a verified request. The response We provide will also explain the reasons We cannot comply with a request, if applicable. Where applicable Privacy Laws permitd you to file an appeal, CareMetx will respond within the required time period.
Non-Discrimination
We will not discriminate against you for exercising any of your rights. Except where permitted by applicable Privacy Laws, We will not:
- Deny you goods or services.
- Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
- Provide you a different level or quality of goods or services.
- Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.
Exercising Your Rights
If you wish to exercise your rights under any applicable Privacy Laws, you may contact CareMetx at:
Email: privacy@caremetx.com
Phone: 1-877-690-0220 (Toll Free)
Only you or a person authorized and/or registered by you to act on your behalf in accordance with applicable Privacy Laws may make a request related to your Personal Information.
CareMetx will only provide access or data portability in response to a request the number of times required by applicable Privacy Laws. All requests must:
- Provide sufficient information that allows CareMetx to reasonably verify you are the person about whom we collected the Personal Information or an authorized representative of that person.
- Describe your request with sufficient detail necessary to properly understand, evaluate, and respond to it.