WASHINGTON CONSUMER HEALTH DATA PRIVACY NOTICE
This Washington Consumer Health Data Privacy Notice applies to “consumer health data” collected from Washington state residents and those whose consumer health data is collected through the Evernorth Health, Inc. (“Evernorth,” “we,” “us,” or “our”) or affiliated website on which it is posted, as well as those whose consumer health data is collected in the State of Washington. This notice applies to Washington residents and those whose consumer health data is collected in Washington. Consumer health data means personal information that is linked or reasonably linkable to a consumer and that identifies the consumer's past, present, or future physical or mental health status, under the Washington State My Health My Data Act (MHMDA). See also our other privacy notices that provide disclosures about personal information that is not consumer health data subject to MHMDA.
This notice does not apply where an exception or exemption applies such as with respect to protected health information under the Health Insurance Portability and Accountability Act (“HIPAA”) and data that is subject to the Gramm-Leach-Bliley Act (“GLBA”). When we are a covered entity, we provide separate HIPAA and GLBA privacy notices to certain customers and consumers as required under applicable laws and regulations. Most consumer health data we process is regulated under HIPAA or GLBA or is processed for a necessary function.
Consumer Health Data Collected
The personal information, including consumer health data, we collect varies based on your relationship with us. For example, if you visit our website we may collect personal information through tracking technologies essential to running our website. Or, if you visit our physical premises in Washington, we may collect video surveillance or other information that could incidentally include consumer health data.
We may collect the following categories of consumer health data:
- Individual health conditions, treatment, diseases, or diagnosis;
- Social, psychological, behavioral, and medical interventions;
- Health-related surgeries or procedures;
- Use or purchase of prescribed medication;
- Bodily functions, vital signs, symptoms, or measurements of other types of consumer health data;
- Diagnoses or diagnostic testing, treatment, or medication;
- Gender-affirming care information;
- Reproductive or sexual health information;
- Biometric data;
- Genetic data;
- Precise location information that could reasonably indicate a consumer's attempt to acquire or receive health services or supplies;
- Data that identifies a consumer seeking health care services; and
- Other information that may be processed to derive or infer data related to the above or other consumer health data.
The categories of consumer health data above may include the following personal information, when collected in connection with your past, present, or future physical or mental health status:
- Identifiers such as name, contact information, online identifiers, and government-issued ID numbers;
- Characteristics of Protected Classifications under state or federal law such as age and medical conditions;
- Commercial Information such as transaction information and purchase history;
- Internet or Network Activity Information such as browsing history, interactions with our website, Internet Protocol (IP) address, Media Access Control (MAC) address; operating system and version; Internet browser type and version;
- Geolocation Data such as device location; and
- Audio, Electronic, Visual and Similar Information such as call and video recordings;
We process any deidentified consumer health data only in a deidentified fashion and will not attempt to reidentify such data.
Why We Collect and Use Consumer Health Data
To the extent we collect your Consumer Health Data as described above, we may use it for the following purposes:
- Services and Support. To provide and operate our Services, communicate with you about your use of the Services, provide you with information about our Services, including information about health care, health related services, resources and benefits that will help you manage your health; sending administrative information to you, such as changes to our terms, conditions, and policies; provide troubleshooting and technical support, respond to your inquiries, fulfill your orders and requests, process your payments and claims, communicate with you about the Services, complete transactions, provide quotes; and to provide our insurance products or services requested by consumers;
- Analytics and Improvement. To better understand how you access and use the Services, and for other internal research and analytical purposes, such as to evaluate and improve our Services and business operations and for internal quality control and training purposes;
- Research and Surveys. To administer surveys and questionnaires, such as for customer engagement purposes;
- Infrastructure. To maintain our facilities and infrastructure and undertake quality and safety assurance measures;
- Authentication. To authenticate or confirm your identity;
- Security and Protection of Rights. To protect the Services and our business operations; to protect our rights or those of our stakeholders; to prevent and detect fraud, unauthorized activities and access, and other misuse; conduct risk and security control and monitoring; where we believe necessary, to investigate, prevent or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety or legal rights of any person or third party, or violations of our Terms of Use as well as any additional terms specific to the site;
- Compliance and Legal Process. To comply with the law and our legal obligations, to respond to legal process and related to legal proceedings;
- General Business and Operational Support. To consider and implement mergers, acquisitions, reorganizations, bankruptcies, and other business transactions such as financings, and related to the administration of our general business, accounting, auditing, compliance, recordkeeping, and legal functions; and
- Business Transfers. To consider and implement mergers, acquisitions, reorganizations, and other business transactions, and where necessary to the administration of our general business, accounting, recordkeeping, and legal functions.
- Deidentification. We may also aggregate or de-identify data by removing identifying details so it no longer identifies an individual. If we de-identify the data, we will not attempt to reidentify it.
Categories of Sources
We generally collect personal information, including consumer health data, from the following categories of sources:
- Directly from you and automatically;
- Our affiliates; and
- Our vendors
Our Sharing of Consumer Health Data
The categories of third parties and other recipients with whom we may share consumer health data as necessary to provide our products and services requested by consumers are:
- Our affiliates (a full list of specific affiliates is available here);
- Or business customers (as directed by that business partner);
- Government or public authorities if (a) we believe that disclosure is reasonably necessary to comply with any applicable law, regulation, legal process, or governmental request, (b) to enforce our agreements, policies, and terms of service, (c) to protect the security or integrity of our services, (d) to protect the property, rights, and safety of us, our users, or the public from harm or illegal activities, (e) to respond to an emergency which we believe in the good faith requires us to disclose information to assist in preventing the death or serious bodily injury of any person, or (f) to investigate and defend ourselves against any third-party claims or allegations.
How to Exercise Your Rights
MHMDA grants certain rights including a right of access and deletion, subject to certain exceptions.
If you would like to exercise your rights under the MHMDA, you may make a request by contacting us at Privacy@express-scripts.com, by mail at: P.O. Box 188014, Chattanooga, TN 37422 ATTN: Privacy Office. Please indicate that you are making a request pursuant to your “Washington Privacy Rights” and provide us with the following information: (1) first and last name; (2) email address; (3) physical address; and (4) date of birth. We will take steps to verify your request by matching the information provided by you with the information we have in our records.
If your request to exercise a right under the MHMDA is denied, you may appeal the denial. A method for submitting an appeal will be contained in our response. If your appeal is unsuccessful, you can raise a concern or lodge a complaint with the Washington State Attorney General at www.atg.wa.gov/file-complaint.
Notice Effective Date: March 31, 2024