Last updated December 12, 2022
HealthStream understands that your privacy is important, and we want you to have a very clear understanding of how we collect and treat the information you entrust to us. Here is a summary of our promise to you, as detailed in this Privacy Statement:
We encourage you to read this Privacy Statement in full to understand in detail how we collect and use information.
In this Privacy Statement, HealthStream, Inc. and our affiliates, corporate parent(s), and subsidiaries are collectively called “HealthStream,” “we” or “us” and our Services means healthstream.com and other websites we own or operate (the “Site”), and our web-based services, digital properties, and applications, and your communications with us.
This Privacy Statement describes how HealthStream collects and treats information through our Services, except for Keener, Nursegrid or myClinicalExchange, each of which is governed by its own privacy statements, not this one.
It does not apply to information collected through a Provider’s website or service, even if the Provider uses HealthStream Services. Please contact your Provider with any questions.
By using or accessing HealthStream Services in any manner, you acknowledge and accept this Privacy Statement, and you consent to our collection, use, and disclosure of your information as described below. If you do not agree with this Privacy Statement, do not use our Services.
When we say, “Personal Information,” we mean information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual consumer or household. Personal Information falls within these categories:
Some of your information is not protected as Personal Information, such as: (i) publicly available information (ii) aggregate information, meaning data about a group or category of services or users from which individual identities and other Personal Information has been removed; or (iii) deidentified information that cannot be easily linked back to the individual.
About Personal Information Collection
How you use the Services determines how we collect and use your Personal Information. For example, you might be a Site visitor, a healthcare practitioner or other individual user (“User”), or an administrator or other representative (“Administrator”) of a health system, hospital, or other healthcare provider using our Services (“Provider”). We only collect, use, retain, and disclose Personal Information as reasonable and necessary and proportionate to provide you with the Services, or we might use it in other compatible ways that we would tell you about first.
During the last 12 months, we have collected (i) identifiers; (ii) employment-related information; (iii) non-public educational information; (iv) biometrics; (v) protected information; (vi) sensitive Personal Information; (vii) commercial information; (viii) internet activity; and (ix) inferences. We collect this information from:
Directly from you, with your consent. You must register and create an account to use some of our Services. When you register, we collect the Personal Information we need to facilitate your use of the Services, such as:
We use this information to provide the Services, identify and administer your account, and communicate with you. If you use our Services via a Provider, the Provider is responsible for obtaining your consent and the Provider’s Administrator may
be able to access, maintain, and share any Personal Information associated with your User account. You can refuse to supply requested Personal Information but doing so may impede your ability to use the Services or work for your Provider.
From your Provider, as a service provider. Your Provider might create your User account or register for you or contract with third parties to transmit Personal Information to the Services to include in your account, such as:
HealthStream collects this Personal Information as part of our contract as a service provider to the Provider. Note that we do not control or verify the information a Provider submits to us. If you have any questions about information on your account not input by you directly, please contact your Provider.
Directly from your communications, with consent. If you contact HealthStream using the forms or links on the Site or by email or other means, you voluntarily provide us with your:
We use this information to respond to your inquiries and to communicate with you about HealthStream according to your communication preferences.
Automatically from your use of the Site, with legitimate interest.
In addition to the specific uses above, we might also use your Personal Information to (i) provide the Services and personalize your experience; (ii) send you support and administrative messages; (iii) monitor your compliance with any of your agreements with us; (iv) protect your privacy and enforce this Privacy Statement; (v) identify, contact, or bring legal action against persons or entities who may be causing injury to you, to HealthStream, or to others if we believe it is necessary; (vi) comply with a law, regulation, legal process or court order; or (vii) fulfill any other purpose to which you consent. HealthStream will update this Privacy Statement or otherwise notify you and obtain your consent where required under applicable law before we collect additional categories of Personal Information or use your Personal Information for purposes that are incompatible with the purpose stated at the time of collection.
About Retention Periods
HealthStream retains Personal Information for the minimum period necessary to fulfil the purpose for which it was collected. Sometimes our retention periods are determined by the regulations or policies that apply to the Providers or Users of a given Service. This means HealthStream may be required to retain Personal Information for a specified period or indefinitely, unless or until a User requests that we delete some or all of their Personal Information. HealthStream’s data retention practices are designed to ensure that our Services to serve as a secure repository of information in healthcare settings, comply with regulatory requirements, and support a policy of good data hygiene.
About Disclosure to Third Parties
We only disclose your Personal Information in limited circumstances and for specific purposes. If any Service allows for social connectivity or sharing, we will notify you of the privacy implications of using the feature before you proceed. In the last 12 months, HealthStream has disclosed all categories of Personal Information that we collected for a business purpose to these recipients:
Our Service Providers
Law enforcement or other governmental agencies as permitted or required by law.
Cookie information recipients subject to their respective privacy statements.
Other Third Parties, as permitted by applicable law.
About Aggregated and Deidentified Information
HealthStream may use fully anonymized, deidentified or aggregated data generated using Personal Information to assist with our research, marketing, advertising, or other purposes. This information is not your Personal Information, so we may do this for our purposes and without restriction. If we ever have a data collection mechanism specifically intended for a Provider’s use, we will notify you that the data is being collected for that specific purpose and help you understand the privacy implications before you use it.
Your Provider may instruct us to collect or process information about you that is protected under health privacy laws or education privacy laws. If we collect or process protected health information, HealthStream is a “business “associate” to the Provider as a “covered entity” under HIPAA. If your Provider is an educational institution, HealthStream is considered a “school official” to the Provider under FERPA and equivalent laws. Your Provider instructs our activities with this data, and your Provider (not HealthStream) is responsible for all decisions for its use, disclosure, and security. Please contact your Provider if you have questions.
For all other uses of our Services, HealthStream is not subject to HIPAA or FERPA or any of their equivalent or complimentary laws, and we make no warranty or representation that disclosures of information via the Services are permissible under such laws or that the Services comply with any law or regulation governing health care, medical professionals, or educational institutions.
Your Privacy Choices and Controls
We provide you with methods to directly control how we collect and use your Personal Information. If you have questions or need help, please contact your Provider, send us a Consumer Privacy Request or email us at privacy@HealthStream.com.
Your Account Profile and Device Settings
Users can sign in to change or delete certain Personal Information in their accounts at any time. As an information repository for Providers, some of the Personal Information on your account cannot be deleted. Please contact your Provider if you wish to make changes to your account but are not able to do so yourself.
You can also control the data we collect by adjusting your device settings.
If you provide us with your email address, we may send you informational or support emails or, if you opt-in, marketing emails about the Services. You can opt-out of marketing emails but not our support or transactions emails. To opt-out, change your preferences via the links provided in the emails, email email@example.com or submit a Consumer Privacy Request.
If you provide us with your wireless number, you consent to HealthStream sending you text messages for informational or authentication purposes. The number of texts that we send to you will be based on your circumstances and requests. You can unsubscribe from text messages by replying STOP or UNSUBSCRIBE to any of these text messages. Messaging and data charges may apply to any text message you receive or send. Please contact your wireless carrier if you have questions about messaging or data charges.
Do Not Track Requests
Do Not Track signals are signals sent through a browser informing us that you do not want to be tracked. Currently, our systems do not recognize browser “do-not-track” requests. If this changes in the future, we will update this Privacy Statement.
Consumer Privacy Requests
If you wish to exercise your rights beyond the methods provided, express concerns, lodge a complaint, or obtain additional information about the use of your Personal Information, please contact your Provider.
Alternatively, you can send us a Consumer Privacy Request or email HealthStream at privacy@HealthStream.com. We will relay your request to your Provider or fulfill it directly if we can. HealthStream does not charge a fee to process or respond to a verifiable request unless we have legal grounds to do so. In that case, we will tell you the cost estimate and why we are charging the fee before completing your request. We may be unable to fulfill some or all of your request, for example, if your request falls within a statutory exception or if fulfilling your request would prevent us from complying with a statutory or contractual obligation.
Depending on where you live or are located, you may have certain rights over your Personal Information. This section provides legally required notices of consumer privacy rights applicable in California, Colorado, Connecticut, Nevada, Utah, Virginia, and other states with similar requirements. If you reside in a state offering privacy protections (“Consumer”), you may have some of all of the following rights related to your privacy:
This section provides supplemental information to residents of Canada (“Canadian Consumers”) in compliance with Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”) and applies solely to Canadian Consumers where PIPEDA applies. The following paragraphs describe PIPEDA rights and explain how to exercise those rights.
Our Services are designed for individuals aged 16 and older. We do not knowingly collect Personal Information from children under 16 without verification of parent or guardian consent. If you believe we might have any information collected online from a child under 16, or if you become aware of any unauthorized submission of information to us, please contact us at firstname.lastname@example.org and we will delete that information from our systems.
HealthStream cannot control the privacy practices of Providers. If a Provider chooses to input children’s Personal Information on the Services, it is done under their own privacy practices, not ours. We are not responsible for any Provider’s
or other party’s compliance or noncompliance with laws or regulations. Please contact the Provider directly if you have questions about their privacy practices.
HealthStream is owned and operated in the United States and is designed to serve Users and Providers in the United States and Canada. We do not market the Services to residents of the European Union or any other jurisdiction outside of the United States and Canada. If you are an EU resident, please do not submit any Personal Information to HealthStream.
If you are a registered User who is a non-US resident or if you visit the Site from outside of the United States, you acknowledge that Personal Information we collect about you will be transferred to our servers in the United States and maintained there in accordance with our retention policy. This may require the transfer of your Personal Information out of your country of origin with laws governing data collection and use that may differ from or be more restrictive than U.S. law, or may result in governments, courts, law enforcement, or regulatory agencies having access to or obtaining disclosure of your Personal Information pursuant to the laws of the applicable foreign jurisdiction. By allowing us to collect Personal Information about you, you consent to this Privacy Statement and the transfer and processing of your Personal Information as described in this paragraph, and you waive any and all remedies that you may have based on the laws of your jurisdiction.
HealthStream implements reasonable and appropriate technical, organizational, and physical security measures to help protect your Personal Information from unauthorized or illegal access, destruction, use, modification, or disclosure. We employ a series of security measures, including secure login, multifactor authentication, encryption in transit and at rest. We ensure that HealthStream personnel responsible for handling Personal Information and privacy matters are informed of applicable privacy law requirements. Our security measures are appropriate to the volume, scope, and nature of the Personal Information processed and designed to meet our duty of care with respect to your Personal Information. Please note, however, that no transmission of data over the internet is 100% secure. We cannot guarantee that unauthorized third parties will not defeat our security measures or use your Personal Information for improper purposes. It is your responsibility to keep your account secure from unauthorized access. HealthStream is not responsible for any lost, stolen, or compromised passwords, or any unauthorized activity on your account. We also have no control over any Provider’s security measures or practices, and we make no representations or guarantees that your Personal Information is secure once transmitted or stored on their systems.
The Services may include links to other websites whose privacy practices may differ from ours. If you submit Personal Information to any of those websites, your information is governed by the privacy policies of those other websites. You should carefully
review the privacy statement of any website you visit.
We may periodically update this Privacy Statement. If we make any material changes, we will notify you through the Services or by updating this posting. The date that this Privacy Statement was last revised is identified at the top of the page. Your continued use of the Services after the effective date will be subject to the new Privacy Statement. You are responsible for periodically checking this Privacy Statement for changes.