Change Healthcare App Registry Privacy Policy

Effective Date: December 20, 2020

Privacy matters to Change Healthcare and its affiliates and subsidiaries (“Change”, “we” and “us”), so whether you are new to Change Healthcare or a long-time user, please take the time to get to know our practices with respect to our Application Developer Registry (“App Registry”) program – and if you have any questions contact us.

BACKGROUND

The App Registry Website (“Site”) is part of the Change Healthcare Interoperability API Connector that Change Healthcare introduced to provide a marketplace for offering tools and technologies to the health care payer community, their beneficiaries (“Members”) and application developers (“App Developers”) (individually each referred to as “you” or “your” and collectively referred to as “Users”). The requirements in the Centers for Medicare & Medicaid Services (“CMS”) Interoperability and Patient Access Final Rule will give payers a new opportunity to connect and interact with health care consumers, their health care providers and other third-parties they authorize through mobile apps. Our App Registry provides App Developers the opportunity to attest to their compliance with industry accepted security and privacy standards that will give health care payers a level of assurance that sensitive health, payment and other information they are entrusted with will continue to be protected even after Members authorize its disclosure through third-party apps. Change’s Site also provides Members the opportunity to identify specific applications that they would like Change Healthcare to include in the App Registry.

This Site Privacy Policy describes how the information you provide in the forms on the Site will be used or disclosed. This Privacy Policy explains how Change Healthcare collects, uses, and shares your sensitive and personal information, as well as your rights and choices, and how you can contact us about our privacy practices.

This Notice does not apply to outside websites and mobile applications, products, or services that may link to the Site or be linked to on the Site. Please consult those websites and applications directly to understand their privacy practices.

For specific disclosures related to our use of cookies and other tracking technologies, please see our Cookie Policy . We use these technologies to gather data for our internal analytics and for targeted advertising.

This Privacy Policy describes the following:

Information We Collect
How We Use Your Information
How and With Whom We Disclose Your Information
Your California Privacy Rights
Information Security and Storage
Changes to This Privacy Notice
How to Contact Us

Information We Collect

Information We Collect From You

For App Developers: When signing up to have your app(s) displayed in the App Registry, an App Developer must provide certain information about the App Developer’s Company, such as the name, email address and phone number of an individual who is authorized to represent and bind the Company (e.g., the CEO), the Company’s and the App’s name, the Company’s email addresses for support and contact, links to the Company’s icon and the App’s icon, a link to Company website and App and the links to the App’s Terms and Conditions and Privacy Policy.

We also collect App Developer’s attestation regarding the security and privacy posture and standards used in the development and maintenance of the app, including the platforms that support the app, a short and long description of what the app does (also referred to as “User Provided Content”). User Provided Content may also collect any additional information you voluntarily include in your messages or responses when interacting with us through our Site, including via online forums, inquiry forms, our support portal, or our Chatbox.

For Members: Members may also request that an application be included in the App Registry by providing the name of the App, App Developer Company Name, a link to App Developer’s application or website, Member’s name, and Member’s email address.

Information We Collect Automatically

Change obtains information about you from various sources to improve your user experience and to keep you informed about the App Registry program. We automatically collect certain information when you access, use or interact with our Site. We use browser cookies and other tracking technologies (collectively, “Cookies”) to collect and store certain information when you use, access or interact with our Site. We collect your device type, operating system and version, IP address, general geographic location as indicated by your IP address, browser type, screen resolution, device manufacturer and model, language, plug-ins, add-ons and the language version of the Site. In addition, we collect information about the time you spend on the Site and other Change websites you may navigate to, the content you view and features you access, the pages that led or referred you to our Site, language preferences, how you interact with available content, and entered search terms, as well as personal information that you make available to us via a social media platform, such as by clicking on a social media icon linked from our Site.

When you visit our Sites, we and our partners collect information about your online activities over time and across different sites to provide you with advertising about products and services tailored to your individual interests (called “interest-based advertising”). Our partners may place or recognize a unique cookie or other tracking technology on your browser (including the use of pixel tags). Where required by applicable laws, we will rely on your consent prior to processing personal data from your device or computer for the purpose of interest-based advertising.

Most web browsers automatically accept cookies but, if you prefer, you can usually modify your browser setting to disable or reject cookies. If you delete your cookies or if you set your browser to decline cookies, some features of the Services may not be available, work, or work as designed. You may also be able to opt out of or block tracking by interacting directly with the other companies who conduct tracking through our Services. You can learn more about ad serving companies and the options available to limit their collection and use of your information by visiting the websites for the Network Advertising Initiative , the Digital Advertising Alliance , and the European Interactive Digital Advertising Initiative . Similarly, you can learn about your options to opt out of mobile app tracking by certain advertising networks through your device settings and by resetting the advertiser ID on your Apple or Android device. Please note that opting out of advertising network services does not mean that you will not receive advertising on our Sites or on other websites, nor will it prevent the receipt of interest-based advertising from other companies that do not participate in these programs. It will, however, exclude you from interest-based advertising conducted through participating networks, as provided by their policies and choice mechanisms. If you delete your cookies, you may also delete your opt-out preferences.

Your browser or device may include “Do Not Track” functionality. At this time, Change Healthcare does not respond to browser “Do Not Track” signals.

To learn more about the Cookies that are served through our Sites and how you can control our use of Cookies and third-party analytics, please see our Cookie Policy .

Information We Collect from Other Sources

We may receive information about you from third parties. These other sources help us update, expand and analyze our records; identify new customers and partners; determine you or your organization’s advertising or purchasing preferences; or prevent or detect fraud.

How We Use Your Information

If you are an App Developer , we use your contact information to communicate with you via email to provide you with information and updates about the App Registry. We also provide you with certain specific information from Change’s customers’ Members who use your Apps. Change also uses the information you provide about your company in our App Registry. Change may also use the information an App Developer provides to send email communications about Change Healthcare’s products and services, invite you to participate in events or surveys, to conduct data analysis of user experiences and behavior, and to otherwise communicate with the App Developer for marketing purposes.

If you are a Member , we use the information you provide to fulfill your request to have an Application or Company be added to the App Registry. We may use your name to and the email address to communicate with you regarding your request.

If at any time you wish to unsubscribe from receiving promotional or commercial emails from us, you can click the unsubscribe link at the bottom of any email or email us at MarketingCommunications@ChangeHealthcare.com . We will comply with your request(s) as soon as reasonably practicable. Please note that if you opt-out of receiving marketing-related emails from us, we may still send you important administrative messages.

How and With Whom We Disclose Your Information

Change will publically disclose on the App Registry the information an App Developer provides about their App(s) that they wish to be displayed on the App Registry. Furthermore, Change will only disclose the personal information of a Member to the App Developer that the Member identified in their request to be added to the App Registry. Otherwise, where required or permitted by law or in the context of an audit or other review , Change will share information with law enforcement agencies, courts, or other government authorities where we believe it is necessary: (i) to comply with a law or regulation; (ii) to protect the rights, safety, and property of Change Healthcare, you or others; and (iii) to respond to requests from courts, law enforcement agencies, regulatory agencies and other public and government authorities. We may also share the sensitive or personal information in connection with the consideration, negotiation, or completion of a corporate transaction, such as a merger or acquisition or a sale or transfer of all or a portion of our assets or business, including during any due diligence process.

Your California Privacy Rights

If you are a California resident, California law may provide you with additional rights regarding our use of your personal information.

Residents of the State of California have the right to request information from Change Healthcare regarding other companies to whom the company has disclosed certain categories of information during the preceding year for the other companies’ direct marketing purposes. If you are a California resident and would like to make such a request, please submit the Consumer Data Request Form available here .

The California Consumer Privacy Act provides California residents with rights to receive certain disclosures regarding the collection, use, and sharing of “Personal Information,” as well as rights to know/access, delete, and limit sharing of Personal Information. The CCPA defines “Personal Information” to mean “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Certain information we collect may be exempt from the CCPA because it is considered public information (i.e., it is made available by a government entity) or covered by a specific federal privacy law, such as the Gramm–Leach–Bliley Act, the Health Insurance Portability and Accountability Act (“HIPAA”), or the Fair Credit Reporting Act.

To the extent that we collect Personal Information that is subject to the CCPA, that information, our practices, and your rights are described below.

Right to Information Regarding the Categories of Personal Information Collected, Sold, and Disclosed. You have the right to obtain information regarding the categories of personal information we collect, sell, or disclose as described in this Privacy Policy. The following is a description of our data collection practices, including the personal information we collect, the sources of that information, the purposes for which we collect information, and whether we disclose that information to external parties. We may use any and all of the information for any of the purposes described in this privacy notice, unless limitations are listed. The categories we use to describe the information are those enumerated in the CCPA.

Personal Identifiers:

We collect your name, phone number, email address, mailing address, and contact address when you create an account or contact us via the Site. If you choose to create an account, you will also be asked to create a username, and we will assign one or more unique identifiers to your profile. We use this information to provide our services, respond to your requests, and send information and advertisements to you.
We collect a unique numerical identifier, assigned to you by a first-party cookie, automatically when you use our services in order to identify you, provide our services, keep you logged in to our services, prevent fraud, and provide you with targeted information and offers.
A service provider working on our behalf collects your payment information when you provide it to us, or to a service provider working on our behalf, when you complete a transaction. This information includes your credit card number or bank account number. We use this information to facilitate payments and transactions.
We do not collect your Driver’s License number or passport number.
We do not collect your social security number.
We do not collect any medical information or health information about you through this marketing website, www.changehealthcare.com.
We collect your IP address automatically when you use our Services. We use this information to identify you, gauge online activity on our Site, measure the effectiveness of online services, applications, and tools, and serve targeted advertisements based on your online activities.
We collect your Device ID automatically when you use our Services. We use this information to monitor your usage and the effectiveness of our Services, to identify you, and to provide you with targeted information and offers.

Protected Classifications: We do not collect your age, gender, racial or ethnic origin, or sexual orientation.
Commercial Information: When you engage in transactions with us, we create records of goods or services purchased or considered, as well as purchasing or consuming histories or tendencies. We use this information to measure the effectiveness of our services and to provide you with targeted information, advertisements, and offers.
Biometric Information: We do not collect information about your physiological, biological, or behavioral characteristics.
Internet or Other Electronic Network Activity Information: When you navigate to and use our site, we collect information such as your Internet domain, the domain of your Internet service provider, the date and time that you access the site, the Internet address of the Site from which you linked directly to the site, and the pages you visit on our sites.
Geolocation Data: As described above, we collect your IP address automatically when you visit our sites. We can determine your general location based on your IP address.
Audio, electronic, visual, thermal, olfactory, or similar information: We do not collect your audio, electronic, visual, thermal, olfactory, or similar information.
Professional or employment-related information: We collect your business contact information when you contact us regarding our products and services or when you interact with us at trade shows. We otherwise do not collect your professional or employment-related information.
Education information: We do not collect any information about the institutions you have attended or the level of education you have attained.
Inferences drawn to create a profile about a consumer reflecting the consumer’s preferences or characteristics: We analyze your actual or likely preferences through a series of computer processes and add our observations to your internal profile. We use this information to gauge and develop our marketing activities, measure the appeal and effectiveness of our services, applications, and tools, and to provide you with targeted information, advertisements, and offers.

We may use any of the categories of information listed above for other business or operational purposes compatible with the context in which the personal information was collected.

We may share any of the above-listed information with service providers, which are external parties that we engage for business purposes and are restricted from using personal information for any purpose that is not related to our engagement. The categories of service providers with whom we share information and the services they provide are described in this Privacy Policy.

On certain occasions, we also sell information to third parties. An external party may be considered a third party either because the purpose of sharing the Personal Information is not an enumerated business purpose under California law, or because our contract does not restrict them from using Personal Information for other purposes. To “sell” information means to disclose it to an external party for monetary or other benefit. We sell the following information:

Personal Identifiers. We provide your IP address and device ID to our vendors and online advertising partners.
Internet or Other Electronic Network Activity Information. We provide information about your Internet or other electronic network activity information to our vendors and online advertising partners.
Inferences drawn to create a profile about a consumer reflecting the consumer’s preferences or characteristics. We provide our observations about you to our vendors and online advertising partners.

We also will disclose information to external parties who are not listed here when required by law or to protect our company or for other purposes, as described in this Privacy Policy.

Right to Access Information. You have the right to request access to Personal Information collected about you and information regarding the source of that information, the purposes for which we collect it, and the third parties and service providers with whom we share it. To protect our customers’ Personal Information, we are required to verify your identify before we can act on your request.

Right to Request Deletion of Information. You have the right to request in certain circumstances that we delete any Personal Information that we have collected directly from you. To protect our customers’ Personal Information, we are required to verify your identify before we can act on your request. We may have a reason under the law why we do not have to comply with your request, or why we may comply with it in a more limited way than you anticipated. If we do, we will explain that to you in our response.

Right to Opt Out of the Sale of Personal Information to Third Parties. You have the right to opt out of any sale of your personal information to third parties. To exercise this right, please visit our “Do Not Sell My Personal Information” webpage here . Please note that your right to opt out does not apply to our sharing of personal information with service providers, who are parties we engage to perform a function on our behalf and are contractually obligated to use the personal information only for that function.

How to Submit a Request. You may submit a request to exercise your rights through either of two means: (1) By filling out a Consumer Data Request Form available here or (2) By calling us at 1-844-698-8905.

Information Security and Storage

We implement and maintain organizational, technical, and administrative security measures designed to safeguard the information we process within our organization against unauthorized access, destruction, loss, alteration, or misuse. These measures are aimed at providing on-going integrity and confidentiality for your sensitive or personal data. We evaluate and update these measures on an ongoing basis. Your information is only accessible to personnel who need access to the personal data to perform their duties. However, no IT system or network can be 100% secure, so we cannot guarantee the absolute security of your sensitive or personal data.

We retain your sensitive and personal data for as long as we have a relationship with you. When deciding how long to keep your personal data after our relationship with you has ended, we consider our legal and regulatory obligations and any internal personal data management policies. For example, we may retain records to investigate or defend against potential legal claims or where required by law. Where we retain data, we do so in accordance with any limitation periods and records retention obligations that are imposed by applicable law.

Changes to this Privacy Notice

We may periodically update this Privacy Policy to describe new Site features, products or services we offer and how it may affect our use of information about you and your controls. We will not apply material changes to this App Registry Privacy Policy retroactively to personal information we have previously collected. Since we may change this App Registry Privacy Policy, we recommend that you check the current version available from time to time. We will notify you by means of a notice on this page or by email, prior to any material changes becoming effective.

How to Contact Us

If you have questions, requests, or complaints related to your privacy, or if you would like to exercise your data protection rights, please contact us at ChiefPrivacyOfficer@ChangeHealthcare.com . You may also contact our Data Protection Officer at ChiefPrivacyOfficer@ChangeHealthcare.com or by physical mail at the following address:

Change Healthcare

Attn: Chief Privacy Officer, Privacy Office

5995 Windward Parkway, 5^th Floor

Alpharetta, Georgia 30005

United States