Summary of Changes:
- Section 5: Coral will contractually bind 3rd party vendors to their privacy policies whenever possible.
- Section 7: You can read more about the risks, benefits, and limitations of sharing your data on the HHS website.
- Section 12: Coral may retain de-identified personal data for up to 6 months, or as required by law or our contractual obligations.
- Section 13: Dormant accounts will be deleted after 2 years of inactivity.
At Coral Health, our goal is to help you take control of your healthcare. To that end, our services help you manage your prescriptions and track your health records data. We are committed to protecting the security and privacy of your personal information. We know that the success of our services depends on earning and maintaining your trust. We have taken considerable steps to protect the confidentiality, security and integrity of your information.
Use of our Services is not intended to provide or replace the consultation, guidance, or care of a health care professional or other qualified provider. Use of our Services is for informational and educational purposes only. Health care professionals and other qualified providers should continue to consult authoritative records when making clinical decisions.
- What Information We Collect from You
- How We Use Your Information
- How You Control Sharing Of Information
- How We Secure Your Information
- How You Control Your Information
- Other Important Data Retention Policies and Rights You Have
Coral Health complies with all local, state and federal privacy laws regulating the transmission, processing and storing of health information, including the Health Insurance Portability and Accountability Act of 1996, as amended from time to time, together with the regulations adopted thereunder (“HIPAA”). We also comply with the ONC Model Privacy Notice, the CARIN Alliance Code of Conduct, the Veterans Affairs API Terms of Service, and the rules and regulations of the US Centers for Medicare & Medicaid Services.
3. What Information We Collect from You
We collect Personal Information as part of providing Services to all of our users. Personal Information may include information you report about yourself and/or information collected from devices or third parties. We believe in keeping confidential all personally identifiable information that identifies an individual, including your past, present, or future physical or mental health condition. To do so, we de-link your personally identifiable information, such as your account information, from your health records before storing any data. We also encrypt all information by default.
Account Information. We may collect Personal Information that includes, but is not limited to, identifying data such as name, email address, and address information, date of birth.
Profile Information. We collect the information that you voluntarily enter into a user profile. This may include pictures, nicknames, and other personal details.
Health Information. With your permission, we may collect information such as personal activities, health and wellness data, medications, tests, medical records, and health issues submitted through the Services.
Sensitive Information. Certain information you provide is considered Sensitive Information and may include genetic information, HIV testing or status, mental health, race, ethnicity, and sexual orientation. This information may be recorded in information shared with us by a third party such as a doctor.
Device Information. We may collect device identifiers such as serial number, device type, IP address and browser type, language preferences and location, operating system, date and time of your access, internet service provider or mobile carrier, internet domain and host name, and referral URL.
Information From Your Use of Services. We collect information related to your use of our Services, such as which healthcare provider you search for, which menus you use, pages you view, or search results you click on. You may interact with our support team during the use of our Services, in which case, we would collect information about your communications.
If you visit the Site, whether or not you become a user of our Services, be advised that we will maintain web logs to record data about all visitors and customers who use this Site and interact with the Services, and we will store this information. These logs may contain IP address information, types of operating system you use, the date and time you visited the site, and, if you are a user of our Services, information about the type of any personal tracker or other device or service you connect to the Services and information about the data uploaded from any such device or service.
All web logs are stored securely and have restricted access by a very limited number of employees that have to adhere to strict guidelines regarding user data security and privacy.
4. How We Use Your Information
We use your Personal Information to provide Services to you. Examples of how we use your information include:
- Authenticating your identity and access to the Services so you can share your Personal Information with the third parties of your choice such as your family, healthcare providers, and care team;
- Collecting Personal Information entered by you, imported by you (e.g., from a device) or authorized by you (e.g., blood test results from a lab);
- Restricting access to your Personal Information;
- Transmitting information to a third party that you authorize to receive your Personal Information through our Services;
- Creating an export of your Personal Information based on your authorization;
- Sending you account notifications and updates about our Services;
- Building new Services and improving existing Services;
- Troubleshooting our Services or enforcing Terms of Service use; or
- Detecting and protecting against error, fraud, malicious activity, or other suspicious or criminal activity.
Coral Health Services. If you elect to create a Coral Health account, we may use your Personal Information to tell you about or present to you products or services that we believe may be of interest to you.
- We will not, without your express consent, provide your personal information to any third party for their or any other third party’s direct communications.
- You can opt out of receiving these communications by following the instructions contained in each email we send you.
- In addition, you can inform us at any time at [email protected] if you no longer consent to these communications.
- If you unsubscribe, you will no longer receive these communications but we will continue to contact you regarding our Services and to respond to your other requests.
5. How You Control Sharing of Information
We do not sell, lease, or rent your individual-level information to any third party.
- Information You Share with Others:
- You can share information through our Services by (i) exporting a copy of your Personal Information, (ii) sending your Personal Information to third-parties such as your doctor and care team through the Service, and (iii) other features that may be offered through our Services. Within our Services, sharing Personal Information with third parties such as a doctor requires your explicit consent within the application.
In certain, limited circumstances, we may share your Personal Information with third parties without further notice to you, unless required by the law, as set forth below:
- Business Transfers: If we are involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, sale of all or a portion of our assets, or transition of service to another provider, your Personal Information and other information may be shared in the diligence process with counterparties and others assisting with the transaction and transferred to a successor or affiliate as part of that transaction along with other assets. In such an event, we notify you and the acquiring company will be responsible for informing you about material changes to the way your data is used. As always, you will have the option to have your account deleted.
- Legal Requirements: We disclose personally identifiable information about you as required or permitted by law, including complying with legal process. We fully cooperate with law enforcement agencies in identifying those who use our Services for illegal activities and may, in our sole discretion, disclose personal information or other information to satisfy any law, regulation, subpoena, or government request. We reserve the right to release personal information or other information about users who we believe are engaged in illegal activities or are otherwise in violation of our Terms of Service, even without a subpoena, warrant or court order, if we believe, in our sole discretion, that such disclosure is necessary or appropriate to operate our Services or to protect our rights or property, or that of our affiliates, or our officers, directors, employees, agents, third-party content providers, or licensors. We also reserve the right to report to law enforcement agencies any activities we reasonably believe in our sole discretion to be unlawful. If we are legally compelled to disclose information about you to a third party, we will attempt to notify you by sending an email to the email address in our records unless doing so would violate the law or unless you have not provided your email address to us.
Anonymized Data Sharing. Coral Health may use and share your anonymized or aggregated information for services improvements, analytics and other legally permissible purposes. No health information, even de-identified, anonymized or pseudonymized data will be shared with any third-party, unless you expressly authorize it.
6. How We Secure Your Information
The protection of your data is of the utmost importance to us. We use all reasonable technical, physical, and administrative controls to protect your Personal Information from unauthorized access or disclosure and to ensure the appropriate use of information. We store your data in the United States. We maintain a high level of data protection via safeguards such as data backup, audit controls, access controls, and data encryption both in transit and at rest. We also delink your personally identifiable information from your health records to further minimize the risk that your information is compromised. Creating a Coral Health account is optional and not required for use of some features of the app. Despite these measures, no data transmission or storage system is guaranteed to be 100% secure. In the event of a security breach, we will notify affected individuals, regulatory authorities, and others consistent with requirements under federal and state law or contractual obligations. App users will be notified by email if possible, and push notification if not. If you have questions about security or possible reason to believe that your interaction with our Site or Services is no longer secure (e.g., you feel that your account’s security may be compromised), please contact us immediately at [email protected]
If we believe that the security of any personal information in our care may have been compromised, we may seek to notify you. If we have your email address, we may notify you by email to the most recent e-mail address you have provided us in your account profile. Please keep your email address in your account up to date. You can change that e-mail address anytime in your account profile. If you receive a notice from us, you can print it to retain a copy of it. To receive these notices, you must check your email account using your computer or mobile device and email application software. We may also post a conspicuous notice on our site or notify you through the mobile application. You consent to our use of email, text message and/or notification through the app as a means of such notification. If you prefer for us to use the postal service to notify you in this situation, please let us know by submitting a request to [email protected] You can make this election any time, and it will apply to notifications we make after a reasonable time thereafter for us to process your request.
7. How You Control Your Information
You are the owner of your health data. We help you access your health information and give you the option to share that information with whomever you choose. You have the ultimate control over who has access to which information.
Coral Health does not currently monetize your information, either personal or health-related. Coral Health may monetize your information in the future, and will notify you by in-app notification or email before any such changes. Coral Health will never monetize your information without your explicit consent.
You can review your Personal Information that is stored and available within our Services at any time. You also have choices concerning the Personal Information you authorize to be stored within our Services and the export of your Personal Information. Please review the following options you have to control the management, use, change, and deletion of your Personal Information that is stored within our Services.
For additional information on the risks, benefits, and limitations of sharing your data, please refer to the Health and Human Services website. You can find their latest press release on patient data sharing here.
8. Deleting Your Data
You may request to delete any Personal Information and to de-authorize the collection, use, storage, and disclosure of Personal Information in the future by sending us an email at [email protected] Any such deletion or de-authorization will have no effect on sharing of Personal Information before we receive and are able to act upon such a request.
During the use of our Services, you may authorize us to send your Personal Information to third parties who are providing you value. You will have full transparency regarding whom within the ecosystem you previously sent your Personal Information. To delete a copy of your records from these entities, you will need to follow their policies and procedures for data deletion.
9. Exporting a Copy of Your Data
You can export a copy of your Personal Information that is stored within our Services. If you have questions about exporting Personal Information from our Services, please contact [email protected]
10. Changes to Your Personal Information
We work with thousands of medical providers to enable you to obtain and hold copies of your Personal Information. We may also provide tools for you to manually enter health data or collect data from devices. While we strive to collect complete and accurate information from the sources provided to us, we do not have control over the accuracy, completeness, or quality of information entered or sent to us. For example, you may identify incorrect, incomplete, or outdated information from a third-party provider. If you have questions or find issues with your Personal Information, it is your responsibility to identify issues and ensure corrections are made to the original source of information.
- For a care provider or health plan, you should contact the provider who controls your original information.
- For manually entered information, you are responsible for reviewing information and making corrections.
Your Responsibility to Protect Your Personal Information
You are responsible for your handling, sharing, re-sharing and/or distribution of your Personal Information. We will have no responsibility or liability for any consequences that may result from your disclosure of your Personal Information. Moreover, if you forward Personal Information electronically to another person on or off the Site or Services, we are not responsible for any harm or other consequences from third party use or re-sharing of your information. We recommend sharing Personal Information only with individuals and other third parties that you know and trust.
In addition, we urge you to take precautionary measures in maintaining the integrity of your data. Please be responsible in making sure no one can see or has access to your personal accounts and log-in username and password information. If you use a public computer, such as the library or a university, or a shared device, always remember to log out of the Site or Services.
If you use our Site or Services through your employer’s computer network or through an internet café, library or other potentially non-secure internet connection, such use is at your own risk. It is your responsibility to check beforehand with the company’s privacy and security policy with respect to Internet use.
We cannot guarantee the identity of any other non-employee person with whom you may interact in the course of using the Site or Services, or the authenticity of any information that others may provide.
11. Third Party Sites and Trusted Relationships
Our Site contains links to other sites. We do not share your Personal Information with those sites except as authorized under the End User Terms of Service and are not responsible for their privacy policies and procedures. We encourage you to learn their particular privacy policies but we seek to work with trusted partners and organizations that will adhere to similar privacy and ethical standards.
12. Account Closure
You may close your account by sending a request to [email protected] We will close your account and delete the Personal Information within your account within thirty (30) days of our receipt of your request. Please note that deletion of Personal Information within our Services does not include any information that you previously provided to a third party through our Services. You must contact third parties separately regarding controls and choices for the personal information that you shared. We cannot remove personal information from third parties with whom you have chosen to send your information.
13. Data Retention
Identifiable information about you is held no longer than necessary for our business purposes or to meet legal requirements.
After 1 year of inactivity, your account will be considered inactive and may be deleted by Coral Health. We will notify you via push notification or email at least 7 days before deleting your account. Dormant accounts will be deleted after 2 years of inactivity.
Coral Health’s website and Services are not intended for use by individuals under the age of 18. By using this Services, you warrant that you are 18 years of age or older. If you discover that your child has been using the Service without your consent, or that someone has been using the Service for or on behalf of your child without your consent, please contact us at [email protected] and we will take reasonable steps to delete the child’s information from our active databases. Coral Health reserves the right to check its user base from time to time and remove users whom Coral Health has grounds to believe they are in fact minors, including without limitation, restricting those user accounts, or deleting them, as Coral Health may deem appropriate.
15. Tracking Technologies – Cookies
A “persistent” cookie may be used to help save your settings and customizations. Also, if you log in to the Site, such a cookie will be used to recognize you as a valid user so you will not need to log in each time you use the Site.
Most Web browsers automatically accept cookies however allow you to modify security settings so you can approve or reject cookies on a case-by-case basis or reject all cookies. You can configure your web browser to remove cookies by following the directions provided in your Internet browser’s “help” section.
16. EEA Residents Rights
If you are a resident of the European Economic Area, you have the following data protection rights:
At any time, you can stop the collection of your information by uninstalling the App and refraining from using the Service.
You may request to:
- Request rectification of your Personal Information that is in our control.
- Receive confirmation as to whether or not Personal Information concerning you is being processed, and access your stored Personal Information, together with supplementary information.
- Receive a copy of Personal Information you directly volunteer to us in a structured, commonly used and machine-readable format.
- Request erasure of your Personal Information.
- Object to the processing of Personal Information by us.
- Request to restrict processing of your Personal Information by us.
- Lodge a complaint with a supervisory authority.
However, please note that these rights are not absolute, and may be subject to our own legitimate interests and regulatory requirements.
If you wish to exercise any of the above rights, or ask us a question please contact us at [email protected]
17. Residents of California: Your California Privacy Rights
Notices for California Residents
California Privacy Act Notice. under California Civil Code sections 1798.83-1798.83, California residents are entitled to ask us, once per year, for a notice identifying any categories of information which we share with our affiliates and/or third parties for marketing purposes, and providing contact information for these affiliates and/or third parties. Requests will apply to information provided during the previous calendar year (for example, if your request information in 2019, you will receive information regarding 2018).
If you are a California resident and would like a copy of this notice, please submit a written request by email to [email protected] subject heading: “California Privacy” or by regular mail to Coral Health. (ATTN: PRIVACY), 52 Hubbard St, Malden, MA.
California Consumer Privacy Act (CCPA) Notice. under California Civil Code sections 1798.100-1798.198 and their implementing regulations, California residents can request a disclosure in machine readable format of the categories and specific pieces of personally identifiable information that we have collected about you and your household during the 12 months preceding our receipt of a verifiable consumer request (limit two times per 12-month period). You can also ask where this information came from, what we use it for, and whether we disclose or sell it to others. If we disclose or sell it to others, you have the right to easily opt out of this practice. please contact us by email at [email protected] subject heading: “California Privacy” or by regular mail to Coral Health (ATTN: PRIVACY), 52 Hubbard St Malden, MA.
18. Medicare Beneficiaries: Access to Your Medicare Claims Data Through CMS Blue Button 2.0
Blue Button 2.0 from CMS is an application programming interface (API) that contains years of Medicare Part A, B and D data for the nation’s Medicare beneficiaries. This data reveals a variety of information about a beneficiary’s health, including type of Medicare coverage, drug prescriptions, primary care treatment and cost. Beneficiaries also have full control over how their data can be used and by whom, with identity and authorization controlled by MyMedicare.gov. If you are a Medicare beneficiary, and wish to include available Medicare claims data in your Coral Health account, you can do so through our Services.
© 2020 Coral Health Research and Discovery Inc. All Rights Reserved.