Phreesia Logo

Consumer Health Data Privacy Policy

Our Phreesia Platform Privacy Policy addresses how Phreesia's products collect and process personal data that relates to individuals' health. Under some state laws, this data is referred to as “consumer health data.” These laws include Washington's My Health My Data Act, Nevada's Consumer Health Data Privacy Law, Connecticut's Data Privacy Act, and other U.S. health privacy laws, as each are amended and as and when they become effective, including any regulations thereunder (collectively, “Consumer Health Data Laws”).

If you are a consumer in a state with a Consumer Health Data Law, this Consumer Health Data Privacy Policy gives you the information required under such Consumer Health Data Laws. The Phreesia Platform Privacy Policy provides much of this information, as well as additional information you may wish to review, including what our values are and how we secure your data. Please note that Phreesia also provides some HIPAA-regulated products and services to HIPAA “covered entities.” The HIPAA-regulated “protected health information” gathered by these products is not covered by this Consumer Health Data Privacy Policy. This Consumer Health Data Privacy Policy also does not apply to the www.phreesia.com website as it does not collect consumer health data.

1. Categories of Consumer Health Data Collected, the Purpose for Which the Data is Collected, Including How the Data Will be Used

When you have signed a consent (a HIPAA Authorization), we may collect the categories of consumer health data, and use them for the purposes, set forth in the following table:

Categories of Consumer Health Data Purpose of Collection and Use
Information from your health care provider, including health information you entered into your healthcare provider's intake forms on the Phreesia platform, as well as information that your healthcare provider has gathered and included in your medical, insurance or appointment records. If, and only if, you sign an optional consent form (a HIPAA Authorization), we collect this information to share personalized health-related materials with you, to plan and select the content on our platform, to measure the effectiveness of content shown to you, to create de-identified health information, and to provide security.
Information you voluntarily enter into the screens. Some of our screens offer to collect information from you as part of our product offerings to you. For example, you may answer survey questions about your experiences with a health product, provide contact information for follow-up from a third party about a health-related topic or provide feedback to us about how our products work.
Information about the personalized health-related materials you see. We collect this information to share personalized health-related materials with you, to plan and select the content on our platform, to measure the effectiveness of content shown to you, to create de-identified health information, and to provide security for your information.
Technical information that helps our product function, for example, information from your browser, computer, or mobile device as you continue to interact with Phreesia's products or services. This information includes device and network information, log files and analytics information. Phreesia also makes use of log files, which include IP addresses, browser type, date/time stamp, and number of clicks.
Information you provide in the course of user support inquiries and to fulfill privacy requests (such as the provider at which you were using our platform when you signed an optional consent that you later exercise your right to revoke). If you provide us consumer health data in this context, we use it to respond to your inquiry, or to fulfill your request, as applicable.

2. Categories of Sources from Which Consumer Health Data is Collected

If you sign an optional consent form (a HIPAA Authorization) that releases information from your healthcare provider to us, we collect such consumer health data from your healthcare provider.

We also collect consumer health data from your use of the product. We collect this information to the extent necessary to provide a product or service that you have requested from us.

Finally, we may also collect consumer health data from you or your authorized representative if you or your authorized representative submit such data in connection with a user support inquiry or to make a privacy request of us.

3. Categories of Consumer Health Data that are Shared

Some personalized health-related materials we show you may offer you the ability to receive additional communications from the sponsor of the materials. For example, a pharmaceutical manufacturer who makes a medicine may sponsor a message about that medicine that you see, and ask if you would like to receive additional communications about the medicine directly from them.You are never required to agree to receive any communications directly from sponsors. Any opportunity to receive additional communications describes what consumer health data you would be sharing (such as your name and email address) and for what purpose. If, after reading this explanation, you decide that you want to share some of your consumer health data with the sponsor, then we will complete your request. This request is distinct from the consent under which we collect consumer health data (the HIPAA Authorization).

The information shared is always set forth in the applicable request, but generally consists of your contact information and information about the campaign you saw so that the sponsor can provide the additional information you have requested.

4. List of Categories of Third Parties and Specific Affiliates with Which We Share Consumer Health Data

We do not sell your consumer health data.

Your Request

We only share your consumer health data with your prior express written direction to third parties you select (for example, to the sponsors of content from whom you request follow-up communications).

Affiliates

We do not share consumer health data with affiliates.

Legal and Government Access

We will not share your consumer health data with law enforcement, government agencies, or private litigants unless such a disclosure is required by a valid and legally binding request.

If we receive a law enforcement request for your consumer health data, we will try to inform you by providing you a notice by sending an email to you at an email address we have on file for you, unless the law does not allow us to provide this notice to you.

Business Organizations

We may disclose your consumer health data in connection with any business combination, securities offering, bankruptcy, reorganization, dissolution or other similar transaction. In such case, your consumer health data would remain subject to the provisions of this Consumer Health Data Privacy Policy, unless amended as described below.

5. How to Exercise Your Rights with Respect to Your Consumer Health Data

You, or your authorized agent, may exercise any of your Consumer Health Data Law rights by emailing Phreesia's Privacy Officer at privacy@phreesia.com or writing to Privacy Officer, Phreesia, Inc., 1521 Concord Pike, Suite 301, PMB 221, Wilmington, DE 19803. Before we can implement your request, we'll need to confirm your identity. To allow us to confirm your identity, you will need to provide your name, date of birth, home address, and the name of the healthcare provider with which you used our platform.

Please contact our Privacy Officer through the email or address listed above with any questions or concerns about this Consumer Health Data Privacy Policy or our information practices.

Supplement to Consumer Health Data Privacy Policy for Nevada Consumers

This supplement applies to Nevada consumers. It provides additional disclosures required by Nevada's Consumer Health Data privacy law.

1. Purposes and Manner of Processing

We collect, use, process, and share consumer health data for the purposes and in the manners described above in Section 1 of our Consumer Health Data Privacy Policy.

2. Review and Revision of Consumer Health Data

If you would like to review and/or revise your consumer health data, you may submit a request to us via any methods listed in our Consumer Health Data Privacy Policy. We will respond to your requests to exercise your rights in accordance with applicable law.

3. Changes

We may update this Consumer Health Data Privacy Policy from time to time. If we update our Consumer Health Data Privacy Policy, we will update this webpage. You can determine when this Consumer Health Data Privacy Policy was last revised by referring to the date at the bottom of this page. Any changes to our Consumer Health Data Privacy Policy will become effective upon posting of the revised Consumer Health Data Privacy Policy. We encourage you to bookmark this webpage and to periodically review it to ensure familiarity with the most current version of our Consumer Health Data Privacy Policy.

4. Third Party Collection of Consumer Health Data

We do not track your browsing activity on third-party sites with third-party pixels, cookies or similar technologies. On our platform, we do not allow third parties to collect information about you for their own purposes through pixels, cookies or similar technologies. For example, we do not allow third-party trackers to collect information about your use of our platform in order to present you with advertisements on third-party sites such as social media, search engines, or other sites on which advertisements are presented.

Effective Date: March 31, 2024