EU-U.S. Data Privacy Framework with UK Extension, and Swiss-U.S. Data Privacy Framework
CentralReach is responsible for the processing of personal data it receives, under each Data Privacy Framework, and subsequently transfers to a third party acting as an agent on its behalf. CentralReach complies with the Data Privacy Framework Principles for all onward transfers of personal data from the EU, the UK and Switzerland, including the onward transfer liability provisions.
The Federal Trade Commission has jurisdiction over CentralReach’s compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF. In certain situations, CentralReach may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, CentralReach commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF to TRUSTe, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://feedback-form.truste.com/watchdog/request for more information or to file a complaint. These dispute resolution services are provided at no cost to you.
Under certain conditions, more fully described on the Data Privacy Framework website at https://www.dataprivacyframework.gov/s/article/How-to-Submit-a-Complaint-Relating-to-a-Participating-Organization-s-Compliance-with-the-DPF-Principles-dpf, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.
What information do we collect?
Our Products collect information used by our Customers to provide medical and related services. CentralReach’s Customers input data and information into CentralReach’s Products, and CentralReach processes such information on behalf of our Customers. Accordingly, CentralReach has no direct relationship with the individuals whose personal data it processes on behalf of our Customers. If you are a client or employee of one of our Customers and would no longer like to be contacted by that Customer or have any questions or concerns about data or information that Customer may have entered into our Products, please contact that Customer directly. We may transfer personal information to companies that help us provide our service. Transfers to subsequent third parties are covered by the service agreements between us and our Customers, and between us and such third parties.
Information Collected Through Our Products
Our Products collect information about you entered by our Customers. Our Customers will collect information about you that they determine to be necessary or advisable in connection with the service they are providing to you. If you desire to obtain a specific list of all data collected about you, you must contact the Customer directly. CentralReach does not control or possess the data entered into our Products by our Customers.
In addition, Customers may enter certain information regarding their employees into our Products. If you are an employee of one of our Customers and desire to obtain a specific list of all data collected about you, you must contact the Customer employing you directly. CentralReach does not control or possess the employee data entered into our Products by our Customers.
Customers are solely responsible for providing all requisite notices to control or possess your data entered into our Products. Information about you that may be collected by our Customers in our Products include:
|A real name, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name.
|Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)).
|A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.
|Protected classification characteristics.
|Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information).
|Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
|Sensitive Personal Information.
|Precise geolocation, Social Security number, driver’s license, state identification card, passport number, account log-in, financial account, debit card, credit card number with security, or access code or password, racial or ethnic origin, religious/philosophical beliefs, or union membership, contents of mail, email, and text messages, genetic data and processing of biometric information, health and sexual orientation.
|Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data.
|Internet or other similar network activity.
|Browsing history, search history, information on a consumer's interaction with CentralReach’s website, application, or advertisement.
|Physical location or movements.
|Audio, electronic, visual, thermal, olfactory, or similar information.
|Professional or employment-related information.
|Current or past job history or performance evaluations.
|Non-public education information.
|Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.
|Inferences drawn from other Personal Information.
|Profile reflecting a person's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
Information We Collect Automatically
While you use our Products, certain information, including personal information, is collected about your use of our Products, as follows:
Device and Usage Information: Information about your hardware and software, IP address, browser type and version, operating system, browsing history and page views, length of visit, referral/exiting sources, device identifiers such as Apple IDFA or Google Advertising ID, cookie identifiers, other pseudonymous identifiers, and information about the timing, frequency, and patterns of your usage.
Location Information: We may collect information about your actual or non-precise physical location when you voluntarily tell us, or when you provide this information via sharing your device's IP address or mobile device's GPS, Wi-Fi, or cellular signal information. You may control, enable or disable the use of location-based services from within your device's settings or mobile application's permissions.
Server log files: We automatically gather server log file information when you use our Products. This includes IP address, browser type, referring and exit web pages, and your operating system.
What is the information used for?
The information collected through our Products is used by CentralReach to provide our Customers with practice management, clinical and related cloud-based software solutions, which, among other things:
- Improves customer service
- Helps us administer your account
- Enables us to respond to your questions and concerns
- Facilitates customer relationships
- Allows us to render billing and invoicing services
- Obtains payment for health care services
- Provides health care operations
- Manages medical and/or health records
- Monitors treatment adherence
- Facilitates our Customers in rendering medical services
- Manages employment relationships
We collect and use personal information solely with the objective of fulfilling those purposes specified above and for other compatible purposes, unless you provide your consent or as required by law.
Do we disclose your information?
Third Party Service Providers/Vendors: We share your information with contracted third parties who provide services on our behalf to help with our business activities. These companies are authorized to use your personal information only as necessary to provide these services to us, pursuant to written instructions. In such cases, these companies must abide by our data privacy and security requirements, and are not allowed to use personally identifiable information, including protected health information, they receive from us for any other purpose. Representative business processes that our service providers/vendors assist us with may include:
- Promotional, marketing and sales efforts
- Network or cybersecurity monitoring and intrusion detection
- Web or application development/management
- Payment processing
- Insurance and payor invoicing
- Providing customer service
- Providing cloud computing infrastructure/storage/processing, etc.
- Technical administration, such as hosting, managing and maintaining our sites, services, applications, networks, etc.
- Analytics for research and development purposes, including products usage data, and benchmarking research and services on an de-identified basis.
- Educational development relating to training, certification, course development and related activities
Legal Compliance: In certain situations, we may be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. We may also disclose your personal information as required by law, such as to comply with a subpoena or other legal process, when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.
Corporate Transactions: If CentralReach is involved in a merger, acquisition, dissolution, sale of all or a portion of its assets, or other fundamental corporate transaction, we reserve the right to sell or transfer your information as part of the transaction.
How can I exercise my choices?
Whenever possible and within its authority, CentralReach will offer you the opportunity to choose (opt-out) whether your personal information is to be used by CentralReach for a purpose other than the purpose for which it was originally collected or subsequently authorized by you. CentralReach will provide you with reasonable mechanisms to exercise your choices.
How can I access my account?
Our Customers access their accounts by password-protected logins as a part of their subscription to our Products and may enter and delete (subject to applicable law regarding medical records) information directly. An individual who seeks access, or who seeks to correct, amend, or delete data entered by one of our Customers should direct their inquiry directly to the Customer (the data controller). If requested by a Customer to remove data we will respond within a reasonable timeframe which will not exceed thirty (30) days or as otherwise required by law. If the process of removal will require in excess of thirty (30) days (or such other period as required by law) we will inform the Customer.
How long will my information be retained?
CentralReach will retain personal data we process on behalf of a Customer for as long as needed to provide services to such Customer. Our Customers are solely responsible for exporting all data stored in our Products prior to the termination of our services. CentralReach will retain all such data for a minimum of sixty (60) days after the termination of our services to a Customer as a safeguard in case the Customer requires more time to export its data. Customers will be responsible during this sixty (60) day period to make any requests for additional data. CentralReach reserves the right to retain such data beyond such sixty (60) day period to the extent CentralReach determines necessary to satisfy other reasonable business purposes, such as complying with legal obligations, resolving disputes, or enforcing our agreements.
Do our Products use web cookies, beacons, and widgets?
To facilitate our operations, we may transfer, store and process your personal information in jurisdictions other than where you live, including in the United States. Laws in these countries may differ from the laws applicable to your country of residence. For instance, if you are a European Economic Area (EEA) data subject and your personal information is shared with our affiliates, partners, or third-party service providers acting on our behalf outside of the EEA, then it is done so pursuant to necessary means to ensure an adequate level of protection.
What rights do I have if I am a California consumer?
Pursuant to California Civil Code Section § 1798.83, we will not disclose or share your personal information with third parties for the purposes of third-party marketing to you without your prior consent.
To the extent we have the authority to respond to your exercising of the rights below, you may do so subject to our verification of your identity. In the event you use a third party agent to make any such request of Central Reach under this section, we may require additional confirmation of your authorization of such a request before processing your request.
Access: You may email us at firstname.lastname@example.org to request a copy of the Personal Information our Products databases currently contain.
Deletion. If you should wish to cease use of our Products and have your Personal Information deleted from our Products, then you may submit a request by emailing us at email@example.com. Upon receipt of such a request for deletion, we will confirm receipt and if you are our Customer, we will confirm once your Personal Information has been deleted, and if you are a client of one our Customers, we will forward your request to such Customer controlling your data. Where applicable, we will ensure such changes are shared with trusted third parties.
In addition, if a California resident exercises his or her rights under California law, including the CCPA, we shall not discriminate against that California resident by denying our goods or services, charging different prices or rates to similarly situated consumers, providing a different level or quality of our goods or services, or taking any other adverse action.
In accordance with and subject to then current requirements of the CCPA, requests from California residents relating to the type of data we collect or process, or requests to delete data will be responded to within 10 business days of our receipt of the request, and completion of requested action shall occur within 45 days (or within 90 days if we advise you that additional time is required due to reasonable restraints, limitations or conditions).
How do you secure my information?
We follow generally accepted industry standards to protect the personal information submitted to us, both during transmission and once we receive it. No method of transmission over the Internet, or method of electronic storage, is 100% secure, however. Therefore, we cannot guarantee its absolute security. To report a security violation, please promptly call us at 1-800-939-5414 or email us at firstname.lastname@example.org.
ATTN: Privacy Officer
101 Crawfords Corner Road, Suite 2201
Holmdel, New Jersey 07733
Effective Date: January 17, 2024