Washington State Consumer Health Data Privacy Policy
Last Updated: March 31, 2024
This Washington State Consumer Health Data Privacy Policy supplements the Headway (“Company”, “we”, “us”) Privacy Policy (“Privacy Policy”) and applies to the extent you are a resident of the state of Washington from whom we collect “consumer health data” (“CHD”), as defined by the Washington State My Health My Data Act (“MHMDA”), or to personal data we collect in Washington, to the extent such data is CHD.
Consumer Health Data We May Collect
As described in the Notice of Collection and Uses of Information section of our Privacy Policy, the data we collect varies and depends, among other things, on the context of your interactions with us, the products and features you use, and applicable law. Because MHMDA defines CHD very broadly, many of the categories of data we collect could also be considered CHD. The MHMDA specifically excludes any data we collect, process, or disclose that is covered by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Instead, our Notice of Privacy Practices applies to that information. To the extent any of the below information we collect could be considered CHD, we collect it only as necessary to provide you the Services you request.
Below are examples of the categories of data we collect that could be deemed CHD (if not collected in a context subject to HIPAA):
- Information about your health-related conditions, symptoms, status, diagnoses, testing, or treatments (including surgeries, procedures, medications, or other interventions). For example, we may collect such information through forms, surveys, or other communication with you when you provide in connection with a service you request.
- Measurements of bodily functions or vital signs. For example, we may collect such information to the extent you provide it when requesting Services.
- Location information that could reasonably indicate your attempt to acquire or receive health services or supplies. For example, if you search for a provider or a location to a health care provider, we may collect location data that could be deemed to reveal health- related information.
- Information that could be related to reproductive or sexual health information. For example, we may collect such information to the extent you provide it when requesting Services.
- Information that could identify your attempt to seek health care services or information, including services that allow you to assess, measure, improve, or learn about your or another person’s health. For example, we collect your search queries, which may include queries concerning wellness, medical or mental health conditions, or providers that specialize in certain health conditions.
We collect other information as described in our Privacy Policy in order to provide our Website, the associated Applications, and web applications (collectively, the “Services”) or operate our business which we do not believe are reasonably related to CHD and that we do not process to associate or identify you with CHD.
Sources of Consumer Health Data
We collect personal data (which may include CHD as described above) directly from you and from your interactions with our Site and Services. As described further in the Information We Collect from Other Sources section of our Privacy Policy, we also collect information about you from Providers and Health Plans, but this information is covered by HIPAA and would not be CHD under the MHMDA.
Why We Collect and Use Consumer Health Data
To the extent we collect and use CHD, we do so for the purposes described in the Notice of Collection and Uses of Information section of our Privacy Policy. More specifically, we collect and use information that could be considered CHD:
- As reasonably necessary to provide you with the products or services you have requested or authorized. This may include delivering and operating the products and services and their features, responding to your communications, personalization of certain product or service features, ensuring the secure and reliable operation of the products and the systems that support them, troubleshooting and improving the products, and other essential business operations that support the provision of the products or services (such as analyzing our performance and meeting our legal obligations).
- For any purpose for which you consent or direct us to collect or use it.
We may use CHD for other purposes for which we will give you choices and/or obtain your consent as required by law. See the Privacy Rights section of the Privacy Policy and the How to Exercise Your MHMDA Rights section below for more details on the rights and choices you may have.
Our Disclosure of Consumer Health Data
We may disclose each of the categories of data that could be considered CHD described above for the purposes described in the Disclosure of Information section of the Privacy Policy. In particular, we may disclose your personal data, including CHD:
- To the extent necessary to provide a product or service that you have requested or as reasonably necessary to complete any transaction or provide any product or service you have requested or authorized, as described above.
- For any purpose for which you consent or direct us to disclose it.
For example, if you obtain services, we will disclose information about the transaction as necessary to process the payment, including protection against fraud. And we may disclose data when we believe that doing so is necessary to comply with applicable law or respond to valid legal process.
Third Parties To Whom We Disclose Consumer Health Data
As necessary for the purposes described above to provide the Services that you request from us, we disclose information that could be considered CHD with the following categories of third parties:
- Service providers. Vendors, service providers, or contractors (“processors”) that provide services on our behalf may access information that might be considered CHD for the purposes described above. For example, companies that provide customer service support, technical services, or assist in protecting and securing our systems and services may need access to data to provide those functions on our behalf.
- Financial institutions & payment processors. When you obtain Services or enter into a financial transaction, we will disclose payment and transactional data to banks and other entities as necessary for payment processing, fraud prevention, credit risk reduction, analytics, or other related financial services.
- Parties to a corporate transaction. We may disclose information that might be considered CHD as part of a corporate transaction or proceeding such as a merger, financing, acquisition, bankruptcy, dissolution, or a transfer, divestiture, or sale of all or a portion of our business or assets.
- Affiliates. We may enable access to data across our subsidiaries, affiliates, and related companies, to the extent access helps us to provide our services and operate our business. Our affiliates include Therapymatch, Inc.
- Government agencies. As described in our privacy statement and our Law Enforcement Requests Report, we disclose data to law enforcement or other government agencies when we believe doing so is necessary to comply with applicable law or respond to valid legal process.
- Other third parties. In certain circumstances, it may be necessary to provide data to other third parties, for example, to comply with the law or to protect our rights or those of our customers.
- Other users and individuals. If you use our services to interact with other users of the Service or other recipients of communications, we may disclose data, including information that might be considered CHD, as directed and requested by you and your interactions.
- The public. You may select and request options available through our Services to publicly display and disclose certain information, such as your profile, demographic data, content and files, or geolocation data, which may include information that might be considered CHD.
How to Exercise Your MHMDA Rights
MHMDA provides certain rights with respect to CHD, including rights to confirm collection of, access, delete, or withdraw consent relating to such data, subject to certain exceptions. You can request to exercise such rights using the methods described in the Privacy Rights section of the Privacy Policy. And if you want to access or control CHD that we process that is not available via those methods, you can email us at [email protected].
If your request to exercise a right under the MHMDA is denied, you may appeal that decision by contacting our privacy support team at
[email protected]. If your appeal is unsuccessful, you can raise a concern or file a complaint with the Washington State Attorney General at
www.atg.wa.gov/file-complaint.