Phreesia Platform Privacy Policy

Phreesia platform users have a choice to receive health-related materials that are personalized for them.  If you entrust your personal data to Phreesia for this purpose, you have certain privacy rights. 

For purposes of this Privacy Policy, “personal data” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked (directly or indirectly) with an individual or household.  Sometimes, you may have heard “personal data” referred to as “personal information” or “personally identifiable information” or “PII.”  These terms generally mean the same thing. 

We want you to understand how our product collects your personal data, how we use your personal data to deliver personalized health-related materials to you, and how we protect your personal data.  We also want you to understand what your rights are when it comes to your personal data.  This Privacy Policy tells you those things. 

1. What are our values?

At Phreesia, we believe that when equipped with accurate, personalized, scientifically sound information, you can focus on what is important to your health, better participate in your healthcare, and advocate for yourself.  We deliver health-related materials that support those outcomes.  We believe that all the health-related materials we present on our platform can help patients improve their health and wellbeing.  You can learn more about the standards for health-related materials that appear on Phreesia’s platform in our Third-Party Content Policy

We rely on individuals to direct us as to whether they want to receive this content.  When you give us permission to use your personal data to show you personalized information related to your healthcare, we do.  When you ask us to stop using your personal data for that purpose, we do that too. 

2. What does this Privacy Policy cover?  And what does it not cover? 

To understand how our platform collects and uses your personal data, it’s important to understand a bit about how our products work. 

We provide a web-based check-in platform and other tools to physicians and other healthcare providers (“Healthcare Providers”).  When Phreesia works for Healthcare Providers and receives individually identifiable health information from, or on behalf of, these Healthcare Providers, Phreesia is acting as a “business associate” of those Healthcare Providers and the individually identifiable data it receives is regulated by a federal statute called the Health Insurance Portability and Accountability Act of 1996, as amended and with its regulations, “HIPAA.”  HIPAA generally treats Healthcare Providers as HIPAA “covered entities,” and we enter into “business associate agreements” with those Healthcare Providers that require us to safeguard their patients’ protected health information (“PHI”) in accordance with HIPAA.  This Privacy Policy does not cover any HIPAA-regulated PHI that we hold on behalf of covered entities.  If you want to know more about how we protect your HIPAA-regulated PHI, please visit our Patient Privacy and Security webpage.  

Sometimes, Phreesia may display a permission form (called an “authorization” in HIPAA) to you when you are using the Phreesia platform.  For example, when you are completing intake forms for your Healthcare Provider, we may present an authorization to you.  If you are interacting with our platform and you choose, you can electronically accept that authorization form and request that your Healthcare Provider share personal data with Phreesia, so we can provide you with personalized health-related materials.  This Privacy Policy applies when Phreesia receives personal data from your Healthcare Provider under the authorization form. 

Aside from when we’re working as a HIPAA business associate, there are a few other times when this Privacy Policy does not apply: 

  • If you are not of age to provide consent to share personal data with us, you may not use our technology to share personal data with us.  Accordingly, this Privacy Policy only applies to legal adults who are age 18 and older and who are the intended users of our technology.  If you are an adult and you provide consent to share data for a minor or for another adult for whom you have the right to consent, you should read the references in this Privacy Policy to “your personal data” to mean the personal data of the individual for whom you are providing such consent. 
  • This Policy is posted on Phreesia’s public website, Phreesia.com, which provides the public with general information about our business.  However, our website does not collect personal data from your Healthcare Provider.  There is a separate Website Privacy Policy linked on the left side of this page that describes how Phreesia handles website visitor data. 
  • This Privacy Policy does not apply to data handled by Phreesia’s subsidiaries.  They are governed by their own Privacy Policies and/or their applicable business associate agreements. 

3. What personal data does Phreesia collect—and what does Phreesia not collect? 

Phreesia collects personal data about your health that is governed by this Privacy Policy from your Healthcare Provider only if you choose, or have chosen, to release such personal data to us by signing an optional HIPAA Authorization.  The personal data that we collect may include the health information you entered into your Healthcare Provider’s intake forms on the Phreesia platform, as well as information that your Healthcare Provider has gathered and included in your medical, insurance or appointment records.   

After you sign the optional HIPAA Authorization, we may obtain additional personal data from you as you interact with Phreesia’s products and services, including: 

  • Information you voluntarily enter into the screens (for example, if you answer survey questions or provide contact information for follow-up from a third party); 
  • Information about the health-related materials you see; and 
  • Technical information that helps our product function, for example, information from your browser, computer, or mobile device as you continue to interact with Phreesia’s products or services.  This information includes device and network information, log files and analytics information.  Phreesia also makes use of log files, which include IP addresses, browser type, date/time stamp, and number of clicks. 

There are certain types of information that we do not collect: 

  • When you sign an authorization, we do not collect certain information from your Healthcare Provider.  For example, we do not collect information on abortion history, child abuse or neglect, or psychotherapy notes from your Healthcare Provider. 
  • We do not use geolocation trackers.  We never use GPS data from your device to deliver messages to you.  We do not track your browsing activity on third-party sites with third-party pixels, cookies or similar technologies.  This means we do not track your internet search history, social media activity, purchase patterns or other information you input into other websites. 
  • We do not allow third parties to collect information about you for their own purposes through pixels, cookies or similar technologies.  For example, we do not allow third-party trackers to collect information about your use of our platform in order to present you with advertisements on third-party sites such as social media, search engines, or other sites on which advertisements are presented. 

4. How do we protect your personal data? 

Privacy and security are top priorities to us–not boxes to be checked during a once-a-year review.  At every level of our organization, we have measures and protocols in place to protect your information, and we foster a culture focused on safeguarding data.  We’re honored to have those efforts recognized with many of the industry’s most well-known certifications.  More information is available at https://www.phreesia.com/​​products/security/

5. How do we use your personal data? 

To share personalized health-related materials with you. 

We use your personal data to show you personalized messages and surveys related to your healthcare.  Specifically, our technology matches your personal data to health-related material that may be relevant to you.  We’re paid to deliver some materials, and not paid to deliver others. Sometimes, we will show you information that may support your healthcare journey.  Other times, you may have information that healthcare leaders would like to inform their decisions—for instance, our product may match you to a relevant survey that you might wish to take.  Such surveys may also include marketing content. 

You are not required to answer any surveys.  You are also always welcome to skip viewing the personalized messages or surveys or to stop receiving them. 

To stop receiving personalized health-related materials, or to stop having your Healthcare Provider provide information to us pursuant to your HIPAA Authorization, you may revoke your HIPAA Authorization by writing to Phreesia’s Privacy Officer at Privacy Officer, Phreesia, Inc., 1521 Concord Pike, Suite 301, PMB 221, Wilmington, DE 19803 or privacy@phreesia.com and provide your name, date of birth, home address and provider’s name.  This personal data will not be used for any purpose other than to verify your identity to revoke your authorization. 

To plan the content on our platform and to measure the effectiveness of content shown to you. 

We may also use your personal data to help us understand general trends about groups of users on our platform and the types of content those groups are likely to find helpful, as well as to measure the effectiveness of the health-related materials that we present to you on our platform. 

To create de-identified health information. 

We use your personal data to create data sets of de-identified health information by removing information that identifies you (for example, your name) or which could be used to identify you (for example, your street address).  Once de-identified, this data no longer relates to you and is no longer considered “personal data” that is governed by this Privacy Policy.  We may use de-identified information for various purposes, including internal business analytics, product improvement purposes, and to measure the effectiveness of content shown to you. 

To provide security. 

We protect your personal data using security practices that we regularly review and update.  We may be required to access your personal data to provide appropriate security.  For example, we may verify activity, investigate suspicious activity, and detect and prevent security threats.  Section 4 above provides more information about our security practices. 

6. When is your personal data disclosed? 

Your personal data may be disclosed only under limited circumstances, such as for one of the purposes described below:  

Your Request 

Some of the personalized health-related materials may offer you the ability to receive additional communications directly from the sponsor of the materials.  For example, a pharmaceutical manufacturer who makes a medicine may sponsor a message about that medicine that you see, and ask if you would like to receive additional communications about the medicine directly from them. 

You are never required to agree to receive any communications directly from sponsors.  Any opportunity to receive additional communications describes what personal data you would be sharing (such as your name and email address) and for what purpose.  If, after reading this explanation, you decide that you want to share some of your personal data with the sponsor, then we will complete your request. 

Your Healthcare Provider 

We may share certain personal data with the healthcare provider from whom we collected your personal data under your signed HIPAA Authorization.  For example, we may let them know what information you and other patients have seen on the platform so they can understand how your interaction with the Phreesia platform relates to their care for you. 

Service Providers 

With contractual provisions appropriate to protect your privacy and security, we use service providers to help us operate.  In this context, service providers are those that we pay to help us store or otherwise process your personal data.  For example, we may use cloud computing companies to process personal data when we provide our services.  These service providers are contractually required to protect and secure your information. 

Legal and Government Access 

We will not share your personal data with law enforcement, government agencies, or private litigants unless such a disclosure is required by a valid and legally binding request. 

If we receive a law enforcement request for your personal data, we will try to inform you by providing you a notice by sending an email to you at an email address we have on file for you, unless the law does not allow us to provide this notice to you. 

Business Organizations 

We may disclose your personal data in connection with any business combination, securities offering, bankruptcy, reorganization, dissolution or other similar transaction.  In such case, your personal data would remain subject to the provisions of this Privacy Policy, unless amended as described below. 

7. How long do we store your personal data? 

Typically, we retain your personal information for the period necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.  In certain situations, we must retain all, or a portion, of your personal data to comply with our legal obligations, resolve disputes, enforce our agreements, to protect against fraudulent, deceptive, or illegal activity, or for another one of our business purposes.  To determine how long we will retain your personal data, we may consider the volume and sensitivity of the personal data, the purposes for which we collect and use the personal data, applicable legal and regulatory requirements, or our retention or recordkeeping policies and obligations. 

8. What privacy laws apply? 

We take your privacy seriously, no matter where you live.  However, if you live in certain states, particular rights may be available to you under your state’s laws.  This section describes those rights as well. 

Certain State Privacy Laws 

Residents of certain U.S. states, such as California, Colorado, Connecticut and Virginia may have personal data rights under the laws of their state (“State Privacy Laws”).  Below, we describe those rights, how to exercise those rights and provide additional information about your personal data. 

Additional Information About Our Data Collection 

We collect the categories of personal data described in this Privacy Policy from Healthcare Providers under an authorization form, and directly from you when you interact with our health-related materials, as described in this Privacy Policy.  We use the personal data for the purposes described in Section 5 of this Privacy Policy.  The personal data we collect includes the following categories:  

  • Identifiers, such as your name, address, phone number, email address, and other similar identifiers. 
  • Personal data such as your medical, insurance or appointment records. 
  • Characteristics of protected classes under law, including gender, race and age. 
  • Sensitive personal information, including race or ethnic origin, information concerning health, information concerning sex life or sexual orientation.  We only use sensitive personal information to provide you with the health-related materials you request and to perform related services on behalf of our business. 
  • Internet activity information, such as session logs of use of our platform.  However, as noted above, we do not gather information through third-party trackers placed on other sites. 

Sharing and Selling with Third Parties 

We have not shared or sold personal data with third parties, as defined under State Privacy Laws.  As noted above, we only provide limited personal data to the sponsors of health-related materials on our platform when you specifically request further material directly from the sponsor. 

Your Rights, How to Exercise Your Rights, and How to Contact Us 

You, or your authorized agent, may exercise any of your State Privacy Law rights by emailing Phreesia’s Privacy Officer at privacy@phreesia.com or writing to Privacy Officer, Phreesia, Inc., 1521 Concord Pike, Suite 301, PMB 221, Wilmington, DE 19803.  Before we can implement your request, we’ll need to confirm your identity.  To allow us to confirm your identity, you will need to provide your name, date of birth, home address, and the name of the Healthcare Provider with which you used our platform. 

You can also contact our Privacy Officer at the methods listed above if you have any questions or concerns about this Privacy Policy or our information practices. 

Right to Know and Access the Personal Data We Collect and Share 

You have a right to request that we disclose the personal data we have collected about you, the categories of personal data we have collected, the sources of the personal data, and the purposes of the collection.  Much of that information is set forth in this Privacy Policy.  We will disclose and deliver the required information within 45 calendar days of receiving your request.  This 45-day period may be extended once by an additional 45 days when reasonably necessary, however we must give you notice of this extension.  You may make this request twice a year, free of charge. 

Right of Deletion 

You may request that we delete the personal data we have collected about you, subject to certain legal exemptions. 

Right of Correction 

You have a right to correct any inaccurate personal data we maintain about you. 

Right to Non-Discrimination 

You have a right not to receive discriminatory treatment for the exercise of privacy rights conferred to you under State Privacy Laws. 

Retention 

As described above, we retain your information for the period necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law. 

United Kingdom and European Economic Area 

We do not provide Phreesia services in the UK or EEA.  Phreesia has wholly owned subsidiaries that provide limited services to entities outside the United States, including in the UK and EEA.  However, Phreesia does not collect personal data to offer personalized health-related materials in those jurisdictions.  This Privacy Policy does not cover data handled by those subsidiaries.  

9. How will changes to this Privacy Policy be handled? 

Phreesia works hard to be transparent about the ways in which we use your personal data.  We know that you trusted us with your personal data, and we will do everything we can to honor that trust.  

We may update this Privacy Policy from time to time.  We want to ensure that this Privacy Policy stays up to date.  To ensure that it does, we look to any relevant changes in law or regulation at the federal or state level, as well as regulatory guidance.  We monitor the development of new technologies and practices that may impact the privacy of your personal data, learnings that can be gleaned from publications on topics relevant to user privacy, and the practices of stakeholders and participants in our industry, including feedback that our clients and users share with us. 

If we do update our Privacy Policy, we will update this webpage.  You can determine when this Privacy Policy was last revised by referring to the date at the bottom of this page. Any changes to our Privacy Policy will become effective upon posting of the revised Privacy Policy.  We encourage you to bookmark this webpage and to periodically review it to ensure familiarity with the most current version of our Privacy Policy.

Effective Date: November 20, 2023