Last updated and effective as of September 10, 2021
This Privacy Statement for HealthStream, Inc. and its affiliates, corporate parent(s), and subsidiaries (collectively, "HealthStream", "we" or "us") describes how HealthStream collects and treats information
through healthstream.com and other websites we own or operate (the "Site"), and our web-based services, digital properties, and applications, as well as your communications with us by any means (collectively, our "Services").
our privacy practices, each of which will be considered to form part of this Privacy Statement.
This Privacy Statement also provides information specific to residents of California and Canada.
Note that this Privacy Statement does not apply to:
- Information collected via a Provider's (defined in Section 3) website or online service, including where the Provider uses HealthStream Services. Your use of a Provider's website or online service is governed by the Provider's privacy statement, and
HealthStream has no control over their privacy practices. For further information, please contact your Provider.
- Services provided through Keener, Nursegrid or myClinicalExchange, which are governed
by their respective privacy statements.
By using or accessing HealthStream Services in any manner, you acknowledge and accept this Privacy Statement, and you consent to our collection, use, and disclosure of your information as described below. If you do not agree with this Privacy Statement,
do not use our Services.
2. Personal Information
As used in this Privacy Statement, "Personal Information" means "personal information", "personally identifiable information" or "personal data" as those terms are defined in applicable privacy and data protection laws, as organized into
the following categories:
- Identifiers (e.g., name, address, username, IP address, email address);
- Protected information (e.g., gender, race, citizenship, marital status);
- Biometric information (e.g., photograph, health data), and audio, electronic, visual, thermal, olfactory, or similar information;
- Commercial information (e.g., products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies);
- Employment-related information (e.g., work history, work authorizations);
- Non-public educational information, including information protected under the U.S. Family Educational Rights and Privacy Act ("FERPA");
- Internet activity (e.g., interactions with a website, content, or advertisement);
- Inferences drawn from Personal Information to create a profile about preferences, characteristics, trends, predispositions, behavior, attitudes, and aptitudes;
- Sensitive Personal Information (e.g., social security, insurance or government ID number; precise geolocation; racial or ethnic origin; biometrics; union membership; contents of messages when we are not the recipient; as well as protected
health information, personal health information, PHI, EPHI, and similar terms of art, each as defined under applicable health privacy laws; and other health information generally).
Personal Information does not include: (i) publicly available information as prescribed by applicable privacy and data protection laws; (ii) aggregate information, meaning data about a group
or category of services or users from which individual identities and other Personal Information has been removed; or (iii) deidentified information that cannot reasonably be used to infer information about, or otherwise be linked to, a particular
consumer. Any de-identified information within HealthStream's control will not be used by us, either alone or in combination with other information, to identify a specific individual.
3. Collection & Use of Personal Information
HealthStream collects and uses Personal Information about you depending on how you interact with our Services, whether as a Site visitor, a healthcare practitioner or other individual user ("User"), or an administrator or other representative
("Administrator") of a health system, hospital, or other healthcare provider using our Services ("Provider"). We only collect, use, retain, and disclose Personal Information as reasonably necessary and proportionate
to provide the Services or for other purposes that we disclose to you and are compatible with the context of how we collected the Personal Information.
a. Categories of Personal Information
During the preceding 12 months, we have collected these categories of Personal Information:
- Employment-related information
- Non-public educational information
- Protected information
- Sensitive Personal Information
- Internet activity
We will update this Privacy Statement or otherwise notify you and obtain your consent where required under applicable law before we collect additional categories of Personal Information or use your Personal Information for purposes that are incompatible
with the purpose stated at the time of collection.
b. Sources of Collection
We collect Personal Information from the following sources and use it as described below:
- Directly from you when you contact HealthStream. If you contact HealthStream using the forms or links on the Site or by email or other means, you voluntarily provide us with your:
- Identifiers like your name, email address, and telephone number, and any other Personal Information you choose to include in your communication.
- Employment information like your title and organization type (e.g., hospital, home health facility, etc.).
- If you make a purchase on the Site, we will collect the commercial history of your purchase(s) and use a PCI-compliant payment processor or bank to process any payments related to your purchase.
We collect this information with your consent, and we use it to respond to your inquiries and to communicate with you about HealthStream according to your communication preferences.
- Directly from you when you register to use the Services. You must register and create an account to use some of our Services. When you register, we collect the Personal Information we need to facilitate your use of the Services, such
- Identifiers like your name, email address, mailing address, and phone number, as well as your login credentials.
- Employment and educational information like your title, credentials, specialty, privileges, and education and work status and history.
- Biometrics like your photograph or health data.
- Depending on the Services you use, sensitive Personal Information (in some cases including protected health information as described in Section 5) and protected information like health status, tax ID or other government ID, military status, citizenship,
birth country, ethnicity, and visa information, as applicable and in our role as a service provider according to instructions from your Provider. In some cases, your Provider may instruct us to collect protected health information subject
to health privacy laws as described in Section 5.
- Additional employment information or educational information related to your credentials or education, if required by your Provider.
We collect this information with your consent, and we use it to provide the Services, identify and administer your account, and communicate with you. If you use our Services via a Provider, the Provider is responsible for obtaining your consent and
the Provider's Administrator may be able to access, maintain, and share any Personal Information associated with your User account. You have the option to refuse to supply requested Personal Information, but doing so may impede your ability to
use the Services or work with your Provider.
- From your Provider. Some of our Services allow a Provider to create a User's account on their behalf and/or provide some or all of the necessary Personal Information to register a User with the Services. Additionally, your Provider
may contract with third parties to transmit Personal Information to the Services for inclusion in your account, such as:
- Sensitive Personal Information like health information (e.g., immunizations, health records, or drug screening results), background investigations, and credit reports
- Employment information.
- Non-public educational information.
Your Provider may also input additional Personal Information to the Services as necessary to manage a User's use of the Services. HealthStream collects Personal Information about you from your Provider in our role as a service provider to achieve
our legitimate interest of providing the contracted Services to you and your Provider. Note that we do not control or verify the information provided to us by a Provider. If you have any questions about information on your account not input by
you directly, please contact your Provider.
- Automatically from you when you visit the Site. When you interact with the Site, we automatically collect technical data about your internet activity such as your IP address and the content with which you interact. Like most online
services, the Site uses analytics cookies as described in our Cookie Notice. We collect this information to achieve our legitimate interest of managing and improving our Services. We use this information to administer the Site, provide and improve
the Services, analyze usage, protect the Services and its content from inappropriate use, and improve the nature and marketing of the Services.
c. Other Uses
In addition to the specific uses described above, HealthStream might also use your Personal Information to:
- Provide, maintain, and improve the Services;
- Personalize the User experience and provide support;
- Send you support and administrative messages;
- Monitor your compliance with any of your agreements with us;
- Detect, investigate, and prevent fraudulent transactions and other illegal activities and protect the rights and property of HealthStream or others;
- Comply with applicable laws, regulations, legal processes or court orders;
- If we believe it is necessary, to identify, contact, or bring legal action against persons who may be causing injury to you, to us, or to others; or
- Fulfill any other purpose to which you consent.
d. Retention of Personal Information
HealthStream retains all Personal Information collected through the Services for as long as required to fulfil the purpose for which it was collected. HealthStream's retention periods are determined by the regulations or policies that apply to the Providers
or Users of a given Service. This means in some cases HealthStream may be required to retain Personal Information for a specified period or indefinitely, unless or until an individual User requests that HealthStream delete some or all of their Personal
Information. This retention policy is necessary to enable HealthStream to serve as a secure repository of information required for Users to work or participate in programs in healthcare settings.
4. Disclosing Personal Information
In the preceding 12 months, HealthStream has disclosed all categories of Personal Information that we collected for a business purpose to the recipients described below.
HealthStream may disclose Personal Information to the recipients described below, or to other recipients with your permission or as required by law:
- Your Provider. If you use a HealthStream Service in connection with your employment or participation in an educational or healthcare program with a Provider, HealthStream operates as a service provider to your Provider. As such, we
may disclose any Personal Information associated with your account to your Provider to enable you and your Provider to manage your role within that organization or for the Provider to provide other services to you.
- Our Service Providers. We use a variety of service providers such as data hosting companies, analytics services, email hosting services, and payment processors. The type of information that we share with our service providers will
depend on the service that they provide to us. Our service providers are subject to contractual agreements that protect your Personal Information, and we require all service providers to maintain confidentiality standards that are commercially
reasonable to ensure the security of your Personal Information.
- Our Affiliates. As a part of the HealthStream family of services, we may disclose the Personal Information we collect about you via HealthStream to HealthStream or other services or brands offered by HealthStream ("Affiliates").
For example, we share Personal Information with Affiliates for customer support purposes or to improve our operations.
information to serve targeted or personalized content or advertising. To opt-out or control how cookies interact with your device, see Your Privacy Rights.
- Other Third Parties. Under specific circumstances, we may disclose Personal Information to certain third parties as permitted by applicable law, for example: if we go through a business transition (e.g., merger, acquisition, or asset
sale); to law enforcement as required by enforcement or judicial authorities; to comply with a legal requirement or a court order; when we believe it is appropriate to take action regarding illegal activities or prevent fraud or harm to any person;
to exercise or defend our legal claims; or for any other reason with your consent.
c. Aggregated and Deidentified Information
We reserve the right to disclose aggregated, anonymized, or deidentified information about any individuals with affiliated or nonaffiliated entities for marketing, advertising, research, or other purposes, without restriction. For example, we may share
reports showing trends about the general use of our Services without identifying an individual.
5. Health Privacy Laws & Educational Privacy Laws
When HealthStream provides the Services as a service provider, your Provider may instruct HealthStream to collect or process information that is protected under health privacy laws or education privacy laws. In such cases, HealthStream collects protected
health information as a "business "associate" to the Provider as a "covered entity" under the U.S. Health Insurance Portability and Accountability Act of 1996 or the privacy and security rules promulgated thereunder ("HIPAA"). If
your Provider is an educational institution, HealthStream is a contractor working on behalf of the Provider and is therefore considered a "school official" under U.S. Family Educational Rights and Privacy Act ("FERPA") and equivalent
laws. In these cases, HealthStream's privacy practices are governed by contractual agreements with your Provider; and your Provider, and not HealthStream, is responsible for all decisions regarding the use, disclosure, or safeguarding of protected
health information or non-public educational information. Please direct questions about your protected health information or non-public education information to your Provider.
For all other uses of our Services, HealthStream is not subject to HIPAA or FERPA or the equivalent laws applicable to other jurisdictions where are our Services are available, and we make no warranty or representation that disclosures of information
via the Services are permissible under such laws or that the Services comply with any law or regulation governing health care, medical professionals, or educational institutions.
6. Services offered in the United States
HealthStream is owned and operated in the United States and is designed to serve Users and Providers in the United States and Canada. We do not market the Services to residents of the European Union or any other jurisdiction outside of the United States
and Canada. If you are an EU resident, please do not submit any Personal Information to HealthStream.
Nonetheless, if you are a registered User who is a non-US resident or if you visit the Site from outside of the United States, you acknowledge that Personal Information we collect about you will be transferred to our servers in the United States and maintained
there in accordance with our retention policy. This may require the transfer of your Personal Information out of your country of origin with laws governing data collection and use that may differ from or be more restrictive than U.S. law, or may result
in governments, courts, law enforcement, or regulatory agencies having access to or obtaining disclosure of your Personal Information pursuant to the laws of the applicable foreign jurisdiction. By allowing us to collect Personal Information about
you, you consent to this Privacy Statement and the transfer and processing of your Personal Information as described in this paragraph, and you waive any and all remedies that you may have based on the laws of your jurisdiction.
7. HealthStream Is Not Designed for Children
HealthStream Services are designed for individuals aged 16 and older. We do not knowingly collect Personal Information from children under 16 without verification of parent or guardian consent. If we discover that a child under 16 has provided us with
Personal Information without parent or guardian consent, we will delete such information from our systems. HealthStream reserves the right to limit use of certain Services to individuals who have reached the age of majority under the laws of their
jurisdiction. If you believe we might have any information collected online from a child under 16, or if you become aware of any unauthorized submission of information to us, please contact us at email@example.com.
Note that HealthStream cannot control the privacy practices of Providers that use our Services. If a Provider chooses to input children's Personal Information on the Services, it is done under their own privacy practices, not ours. HealthStream is not
responsible for the failure of a Provider or other third party to comply with any law designed to protect children or any other law governing their use of our Services. Please contact the Provider directly if you have questions about their privacy
8. Your Privacy Rights
Controlling Your Personal Information
HealthStream provides you with options to control the Personal Information we hold about you and how we use it directly through our Services:
- Your Account: Registered users can change or delete certain Personal Information in their accounts at any time by signing into the Services and editing information or changing settings. Please contact your Provider if you wish to
change Personal Information on your account but are not able to do so yourself. Because HealthStream serves as an information repository for Providers, we may be unable to delete your Personal Information as part of our obligations to meet our
legal or contractual requirements.
- Email Communications: If you provide us with your email address, we may send you informational or support emails or, if you opt-in, marketing emails about the Services. If you do not wish to receive these emails, you can change your
preferences via the links provided in the emails or by sending a request to privacy@HealthStream.com to be removed from our email list. Please note, however, you cannot opt out of emails relating
to Services you use, transactions you initiate, or changes to our Terms, this Privacy Statement, or other policies or notices that may affect your access to and use of the Services.
- Do Not Track:Do Not Track signals are signals sent through a browser informing us that you do not want to be tracked. Currently, our systems do not recognize browser "do-not-track" requests. If this changes in the future, we will
update this Privacy Statement.
Depending on where you reside, you may have additional privacy rights or be entitled to additional controls over your Personal Information. Please see our supplemental notices specific to residents of California and Canada.
Consumer Privacy Requests
If you wish to exercise your privacy rights beyond the methods available through the Services, or if you want to express concerns, lodge a complaint, or request information, please contact your Provider. Alternatively, you can submit a verifiable Consumer
Privacy Request using our online Consumer Privacy Request form or email HealthStream at firstname.lastname@example.org.
We endeavor to respond to Consumer Privacy Requests in accordance with the requirements of the law applicable to your jurisdiction. We do not charge a fee to process or respond to a verifiable request unless we have legal grounds to do so. If we determine
that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request. Depending on the circumstances and the nature of your request, we may be unable to fulfill your request
in part or in whole, for example, if your request falls within a statutory exception or if fulfilling your request would prevent us from complying with a statutory or contractual obligation.
Note that if you use our Services via your Provider, we cannot fulfill your request directly. Instead, we will relay your request to your Provider for further processing and fulfillment.
California Privacy Rights
This section provides residents of the State of California ("California Consumers") with the disclosures and notices required under the California Consumer Privacy Act of 2018, as amended ("CCPA"). The following paragraphs
apply solely to California Consumers and describe the specific rights afforded under the CCPA.
In many cases, HealthStream collects Personal Information about you in a business-to-business context or as part of your employment with a Provider. Please note that Personal Information collected and used in this context is not protected under the CCPA.
California Consumers may exercise the following rights over their Personal Information, subject to any exceptions and limitations that may apply:
- Right to Know:You have the right to request that we disclose information to you about our collection and use of your Personal Information, such as: (i) categories of Personal Information we have collected about you; (ii) categories
of sources for the Personal Information we have collected about you; (iii) our business or commercial purpose for collecting, selling, or sharing your Personal Information; (iv) categories of third parties with whom we disclose your Personal Information;
and (v) a list of specific pieces of Personal Information we have collected about you. If a business sells or shares your Personal Information, you also have the right to request disclosure of the categories of your Personal Information sold or
shared and the categories of third parties to whom that Personal information was sold or shared, as well as the categories of Personal information disclosed for a business purpose and the categories of recipients of that information. HealthStream
is only required to respond to two disclosure requests from you within a 12-month period.
- Right to Access. You have the right to request that we provide you with access to specific pieces of Personal Information we have collected about you (also called a data portability request). If you submit a right to access request,
we will provide you with copies of the requested Personal Information in a portable and readily usable format. Please note that HealthStream may be prohibited by law from disclosing copies of certain Personal Information when the disclosure would
create a substantial, articulable, and unreasonable risk to the security of the information, our systems, or your account. In some cases, your access may be limited to Personal Information collected over the preceding 12-months. We are only required
by law to respond to two access requests from you within a 12-month period.
- Right to Correct. If you discover that we maintain inaccurate Personal Information about you, or if your Personal Information changes, please inform us and we will update our records to reflect the correct information.
- Right to Deletion. You have the right to request that we delete Personal Information that we collected from you and retained, with certain exceptions. Requests to delete may be denied to comply with regulatory or contractual requirements,
or subject to other legal exceptions or limitations. If we grant your request, we will permanently delete, deidentify, or aggregate the Personal Information. We will confirm the Personal Information to be deleted prior to its deletion, and we
will notify you when your request is complete.
- No Selling or Sharing Personal Information. HealthStream does not sell your Personal Information to any third parties or share your Personal Information with third parties for cross-contextual behavioral advertising purposes. If this
changes in the future, we will update this Privacy Statement and provide you with a method to opt-out of such sale and sharing.
- Limited Use and Disclosure of Sensitive Personal Information. HealthStream does not use or disclose sensitive Personal Information for the purpose of inferring characteristics about any consumer. If this ever changes in the future,
we will update this Privacy Statement and provide you with methods to limit use and disclosure of Sensitive Personal Information. However, we have no control over whether a given Provider may use or disclose a registered user's sensitive Personal
information for any particular purpose. Please direct any questions about your sensitive Personal Information to the respective Provider.
- Right to Nondiscrimination. We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by law, we will not: (i) deny you goods or services; (ii) charge you different prices or rates for goods or
services; (iii) provide you a different level or quality of goods or services; or (iv) suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services, because you exercised a right
under the CCPA.
- Right to Disclosure of Marketing Information. Under California's Shine the Light Act (Ca. Civ. Code § 1798.83-1798.84), California Consumers are entitled to request certain disclosures about Personal Information sharing with
affiliates and/or third parties for marketing purposes. Please contact us if you wish to obtain these disclosures.
California Consumers may exercise these rights over their Personal Information by contacting their Provider or by sending HealthStream a verifiable Consumer Privacy Request, subject to any exceptions and limitations that may apply.
Canadian Privacy Rights
This section provides supplemental information to residents of Canada ("Canadian Consumers") in compliance with Canada's Personal Information Protection and Electronic Documents Act ("PIPEDA") and applies solely to
Canadian Consumers where PIPEDA applies. The following paragraphs describe PIPEDA rights and explain how to exercise those rights.
- Right to know why we collect, use and distribute the Personal Information we process. We have set the required notices in this Privacy Statement. We may provide you with additional notices about other ways we process your Personal
Information, such as by sending you a notice via email or by other means of communication.
- Right to expect us to collect, use or disclose Personal Information responsibly and not for any other purpose other than which you consented. We set your expectations in this Privacy Statement, and collect express or implied consent
at various stages of collection or processing. If we collect or use your Personal Information based on your consent, we will also notify you of any changes and will request your further consent as needed. You may withdraw your consent at any
time with reasonable notice by contacting us at email@example.com.
- Right to accuracy of your Personal Information. We take steps to reasonably ensure that your Personal Information we are using is accurate. In most cases, we rely on you to ensure that your information is current, complete, and
accurate. We provide methods for you to correct, update, and delete inaccurate Personal Information in your account, and we will provide you with reasonable assistance to ensure that your Personal Information is accurate in our systems
and with our service providers.
- Right to access your Personal Information. Upon written request and identity authentication, we will provide you with your Personal Information under our control, information about the ways in which that information is being used
and a description of the individuals and organizations to whom that information has been disclosed. We will make the information available within 30 days or provide written notice where additional time is required to fulfil the request. If
limited by law or potential infringement on another's privacy rights, we may not be able to provide access to some or all of the Personal Information you request. If we must refuse an access request, we will notify you in writing, document
the reasons for refusal and outline further steps that are available to you.
Canadian Consumers may exercise the above rights over their Personal Information by contacting their Provider or by sending HealthStream a verifiable Consumer Privacy Request, subject to any exceptions and limitations that may
9. Data Security
HealthStream implements reasonable and appropriate security procedures and practices to help protect your Personal Information from unauthorized or illegal access, destruction, use, modification, or disclosure. We employ a series of security measures,
including secure login, multifactor authentication, encryption in transit and at rest. We ensure that HealthStream employees, contractors, and agents responsible for handling Personal Information and privacy matters are informed of applicable
privacy law requirements.
Please note, however, that no transmission of data over the internet is 100% secure. We cannot guarantee that unauthorized third parties will not defeat our security measures or use your Personal Information for improper purposes. We also have no
control over any Provider's security measures or practices, and we make no representations or guarantees that your Personal Information is secure once transmitted or stored on their systems.
It is your responsibility to keep your account secure from unauthorized access. We encourage you to take steps to protect against unauthorized access to your account, such as choosing a robust password, keeping the password private, and signing off
after using a shared computer or other device. HealthStream is not responsible for any lost, stolen, or compromised passwords, or any unauthorized activity on your account.
10. Third Party Websites
The Site may include links to other websites whose privacy practices may differ from ours. If you submit Personal Information to any of those websites, your information is governed by the privacy policies of those other websites. You should carefully
11. Changes to this Privacy Statement
We may periodically update this Privacy Statement. If we make any material changes, we will notify you through the Services or by updating this posting. The date that this Privacy Statement was last revised is identified at the top of the page. Your
continued use of the Services after the effective date will be subject to the new Privacy Statement. You are responsible for periodically checking this Privacy Statement for changes.
12. Contact Us
If you have questions about our privacy practices or would like to make a complaint, please contact us at firstname.lastname@example.org or by calling 800.521.0574.