Effective Date: March 4, 2020
Privacy Shield Participation
CentralReach participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework. We are committed to subjecting all personal data received from European Union (EU) member countries and Switzerland, respectively, in reliance on each Privacy Shield Framework, to the Framework’s applicable Principles. To learn more about the Privacy Shield Frameworks, and to view our certification, visit the U.S. Department of Commerce’s Privacy Shield List at https://www.privacyshield.gov.
CentralReach is responsible for the processing of personal data it receives, under each Privacy Shield Framework, and subsequently transfers to a third party acting as an agent on its behalf. CentralReach complies with the Privacy Shield Principles for all onward transfers of personal data from the EU and Switzerland, including the onward transfer liability provisions.
With respect to personal data received or transferred pursuant to the Privacy Shield Frameworks, CentralReach is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission.
If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.
Under certain conditions, more fully described on the Privacy Shield website at https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.
What information do we collect?
Our Products collect information used by our Customers to provide medical and related services. CentralReach’s Customers input data and information into CentralReach’s Products, and CentralReach processes such information on behalf of our Customers. Accordingly, CentralReach has no direct relationship with the individuals whose personal data it processes on behalf of our Customers. If you are a client or employee of one of our Customers and would no longer like to be contacted by that Customer or have any questions or concerns about data or information that Customer may have entered into our Products, please contact that Customer directly. We may transfer personal information to companies that help us provide our service. Transfers to subsequent third parties are covered by the service agreements between us and our Customers, and between us and such third parties.
Information Collected Through Our Products
Our Products collect information about you entered by our Customers. Our Customers will collect information about you that they determine to be necessary or advisable in connection with the service they are providing to you. If you desire to obtain a specific list of all data collected about you, you must contact the Customer directly. CentralReach does not control the data entered into our Products by our Customers. Information about you that may be collected by our Customers in our Products may include:
- Email address
- Mailing address
- Phone number
- Demographic information
- Insurance information
- Payment information
- Health and biometric data
- Medical service history and related documentation
- Such other information as the Customer deems relevant
In addition, Customers may enter certain information regarding their employees into our Products. If you are an employee of one of our Customers and desire to obtain a specific list of all data collected about you, you must contact the Customer employing you directly. CentralReach does not control the employee data entered into our Products by our Customers. This information may include:
- Contact information
- Demographic information
- Benefits information
- Salary information
- Job title
- Licensing and professional certification information
- Disciplinary history
- Academic information
- Such other employment information as the Customer deems relevant
Information We Collect Automatically
While you visit or use our Websites, certain information, including personal information, is collected about your use of the Website, as follows:
Device and Usage Information: Information about your hardware and software, IP address, browser type and version, operating system, browsing history and page views, length of visit, referral/exiting sources, device identifiers such as Apple IDFA or Google Advertising ID, cookie identifiers, other pseudonymous identifiers, and information about the timing, frequency, and patterns of your usage.
Location Information: We may collect information about your actual or non-precise physical location when you voluntarily tell us, or when you provide this information via sharing your device's IP address or mobile device's GPS, wi-fi, or cellular signal information. You may control, enable or disable the use of location-based services from within your device's settings or mobile application's permissions.
Server log files: We automatically gather server log file information when you use our Products. This includes IP address, browser type, referring and exit web pages, and your operating system.
What is the information used for?
The information collected through our Products is used by CentralReach to provide our Customers with practice management, clinical and related cloud-based software solutions, which, among other things:
- Improves customer service
- Helps us administer your account
- Enables us to respond to your questions and concerns
- Facilitates customer relationships
- Allows us to render billing and invoicing services
- Obtains payment for health care services
- Provides health care operations
- Manages medical and/or health records
- Monitors treatment adherence
- Facilitates our Customers in rendering medical services
- Manages employment relationships
We collect and use personal information solely with the objective of fulfilling those purposes specified above and for other compatible purposes, unless you provide your consent or as required by law.
Do we disclose your information?
Third Party Service Providers/Vendors: We share your information with contracted third parties who provide services on our behalf to help with our business activities. These companies are authorized to use your personal information only as necessary to provide these services to us, pursuant to written instructions. In such cases, these companies must abide by our data privacy and security requirements, and are not allowed to use personally identifiable information, including protected health information, they receive from us for any other purpose. Representative business processes that our service providers/vendors assist us with may include:
- Promotional, marketing and sales efforts
- Network or cybersecurity monitoring and intrusion detection
- Web or application development/management
- Payment processing
- Insurance and payor invoicing
- Providing cloud computing infrastructure/storage/processing, etc.
- Technical administration, such as hosting, managing and maintaining our Websites, services, applications, networks etc.
- Analytics for research and development purposes, including products usage data, and benchmarking research and services on an anonymized basis
- Educational development relating to training, certification, course development and related activities
Legal Compliance: In certain situations, we may be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. We may also disclose your personal information as required by law, such as to comply with a subpoena or other legal process, when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.
Corporate Transactions: If CentralReach is involved in a merger, acquisition, dissolution, sale of all or a portion of its assets, or other fundamental corporate transaction, we reserve the right to sell or transfer your information as part of the transaction.
How can I exercise my choices?
Whenever possible and within its authority, CentralReach will offer you the opportunity to choose (opt-out) whether your personal information is to be used by CentralReach for a purpose other than the purpose for which it was originally collected or subsequently authorized by you. CentralReach will provide you with reasonable mechanisms to exercise your choices.
How can I access my account?
Our Customers access their accounts by password-protected logins as a part of their subscription to our Products and may enter and delete (subject to applicable law regarding medical records) information directly. An individual who seeks access, or who seeks to correct, amend, or delete data entered by one of our Customers should direct their inquiry directly to the Customer (the data controller). If requested by a Customer to remove data we will respond within a reasonable timeframe which will not exceed thirty (30) days or as otherwise required by law. If the process of removal will require in excess of thirty (30) days (or such other period as required by law) we will inform the Customer.
How long will my information be retained?
CentralReach will retain personal data we process on behalf of a Customer for as long as needed to provide services to such Customer. Our Customers are solely responsible for exporting all data stored in our Products prior to the termination of our services. CentralReach will retain all such data for a minimum of sixty (60) days after the termination of our services to a Customer as a safeguard in case the Customer requires more time to export its data. Customers will be responsible during this sixty (60) day period to make any requests for additional data. CentralReach reserves the right to retain such data beyond such sixty (60) day period to the extent CentralReach determines necessary to satisfy other reasonable business purposes, such as complying with legal obligations, resolving disputes, or enforcing our agreements.
Do our Products use web cookies, beacons, and widgets?
To facilitate our operations, we may transfer, store and process your personal information in jurisdictions other than where you live, including in the United States. Laws in these countries may differ from the laws applicable to your country of residence. For instance, if you are a European Economic Area (EEA) data subject and your personal information is shared with our affiliates, partners, or third-party service providers acting on our behalf outside of the EEA, then it is done so pursuant to necessary means to ensure an adequate level of protection.
What rights do I have if I am a California consumer?
Pursuant to California Civil Code Section § 1798.83, we will not disclose or share your personal information with third parties for the purposes of third-party marketing to you without your prior consent.
To the extent we have the authority to respond to your exercising of the rights below, you may do so subject to our verification of your identity. In the event you use a third party agent to make any such request of Central Reach under this section, we may require additional confirmation of your authorization of such a request before processing your request.
Access: You may email us at firstname.lastname@example.org to request a copy of the Personal Information our Products databases currently contain.
Deletion. If you should wish to cease use of our Website and have your Personal Information deleted from our Website, then you may submit a request by emailing us at email@example.com. Upon receipt of such a request for deletion, we will confirm receipt and if you are our Customer, we will confirm once your Personal Information has been deleted, and if you are a client of one our Customers, we will forward your request to such Customer controlling your data. Where applicable, we will ensure such changes are shared with trusted third parties.
In addition, if a California resident exercises his or her rights under California law, including the CCPA, we shall not discriminate against that California resident by denying our goods or services, charging different prices or rates to similarly situated consumers, providing a different level or quality of our goods or services, or taking any other adverse action.
In accordance with and subject to then current requirements of the CCPA, requests from California residents relating to the type of data we collect or process, or requests to delete data will be responded to within 10 business days of our receipt of the request, and completion of requested action shall occur within 45 days (or within 90 days if we advise you that additional time is required due to reasonable restraints, limitations or conditions).
How do we secure your information?
We follow generally accepted industry standards to protect the personal information submitted to us, both during transmission and once we receive it. No method of transmission over the Internet, or method of electronic storage, is 100% secure, however. Therefore, we cannot guarantee its absolute security. To report a security violation, please promptly call us at 1-800-939-5414 or email us at firstname.lastname@example.org
ATTN: Privacy Officer
100 Matawan Road
Matawan, New Jersey 07747