Engage Health's Privacy Policy

Effective October 14th, 2019

When you join us, you are trusting us with your information. We understand this is a big responsibility and work hard to protect your information and put you in control.

This Privacy Policy is meant to help you understand what information we collect, why we collect it, and how you can update, receive, and delete your information. It describes the information we collect through the website from which you linked (“Site”), market research, and other projects conducted on behalf of our clients.

When we refer to ourselves as “we” or “Engage”, we mean Engage Health, Inc. As a convenience to our visitors, our Site may contain links to third-party websites / content / services that are not owned or controlled by Engage. Engage is not responsible for how these properties operate or treat your personal data, so we recommend that you read the privacy policies and terms associated with these third-party properties carefully. Such third-party links do not constitute an endorsement of those third-party websites, the content displayed therein, or the persons or entities associated therewith. Please read the following to learn our privacy and data storage policies as they pertain to information we gather from individuals.

We collect personal data you choose to provide, e.g. through registrations, applications, and surveys. For example, you may choose to provide your name, contact information, and health information in connection with events or market research. Healthcare providers may choose to provide information relating to their specialties and professional affiliations.

In addition, we may gather information about you through your use of the Site, e.g. your anonymized IP address and how you navigate our Site. See also, the Section below on Cookies and Other Tools.

From time to time, we may use or augment the personal data we have about you with information obtained from other sources, such as public databases, and other third-parties. For example, we may use such third-party information to confirm contact information, to verify licensure of healthcare professionals or to better understand your interests by associating demographic information with the information you have provided.

If you submit any personal data relating to other people to us, you represent that you have the authority to do so and to permit us to use the information in accordance with this Privacy Policy.

You have, at any time, the right to access your personal data stored by Engage, to have the data rectified, completed, blocked or deleted and you may at any time withdraw your consent to the storage, processing and use of your data with effect for the future. Further, your consent is optional and voluntary. Denying consent does not have any negative consequences for you other than you will not be able to participate in a given survey or interview as outlined in the section How We Use Personal Data. More specifically;

  1. You have the right to request disclosure of our collection and sales practices in connection with your data, including the categories of personal information collected, the source of the information, the use of the information and, if the information was disclosed or sold to third-parties, the categories of personal information disclosed or sold to third-parties and the categories of third-parties to whom such information was disclosed or sold;
  2. You have the right to request a copy of the specific personal information collected during the 12 months before your request (together with right #1, a “personal information request”);
  3. You have the right to have such information deleted (with exceptions);
  4. You have the right to request that your personal information not be sold to third-parties, if applicable; and
  5. You have the right not to be discriminated against because you exercised any of these rights.

If you wish to exercise one or more of your rights above, you may contact our Data Protection Officer at dataprotectionofficer@engagehealth.com or at 651-994-0510. Please note you may only make personal information requests twice in a 12-month period, that we will need to collect information from you so we can verify your identity, and that we will respond within 30 days of receiving your personal information request.

We use your personal data to serve you in the following ways:

  • Provide you with newsletters, articles, alerts, announcements, invitations, and other information about health topics, disease states, research studies, clinical research, and other topics related to rare or other health conditions;
  • Operate our business e.g. schedule interviews or pay honoraria;
  • Process, complete and fulfill your requests or inquiries;
  • Communicate with you;
  • To connect you with third-parties; We may offer access to third-party sharing functionality, such as third-party social media widgets / tools / buttons. If you use that functionality, your use is subject to the third-party’s privacy policy and terms. As with all links to non-Engage websites / content / services, we recommend that you read the privacy policies and terms associated with third-party properties carefully;
  • To connect you with educational opportunities such as conferences; On occasion, Engage may connect you to activities, events or promotions that have specific terms, privacy notices and / or consent forms that explain how any personal data you provide will be processed in connection with that program;
  • To provide insights to our clients as they work to develop therapies for various diseases; We use the information you provide for data analysis, to better understand the disease and how certain products and services impact you and those you care for, to track and respond to concerns, and to further develop and improve the products and services of our clients. In addition, we use information you provide to comply with our regulatory monitoring and reporting obligations;

 

We may aggregate and / or de-identify data about persons, including study responders and visitors to our Site and use it for any purpose, such as conducting historical studies, providing reports to third-parties, and product and service development and improvement activities.

Engage may share your personal data as follows:

  • Within our company; Engage may share your personal data amongst employees for the purposes set forth in this Privacy Policy;
  • In connection with business transfers; if we were ever to sell our company to another, or to undergo bankruptcy or other proceedings, we would share your personal data as required, however, it would be used and protected in a manner consistent with this Privacy Policy;
  • With our service providers; We may hire other companies and individuals to perform services on our behalf and we may collaborate with other companies and individuals with respect to particular products or services (collectively, “Providers”). Examples of Providers include data analysis firms, customer service and support providers, email and SMS vendors, web hosting and development companies and fulfillment companies. Providers also include our co-promote partners for products that we jointly develop and / or market with other companies. Some Providers may collect personal data on our behalf on our Site. These third-parties may be provided with access to personal data needed to perform their functions, but they may not use such data other than on our behalf or subject to contracts that protect the confidentiality of the data;
  • To comply with the law; We reserve the right to disclose your personal data as required by law, when we believe disclosure is necessary or appropriate to comply with a regulatory requirement, judicial proceeding, court order, government request, or legal process served on us, or to protect the safety, rights, or property of our customers, the public, Engage or others;

We may also aggregate and / or de-identify data about persons, including study responders and visitors to our Site and share it to third-parties for any purpose.

Healthcare providers’ information

As part of our work, we have a legitimate interest in collecting information that is provided to us by healthcare providers (“HCPs”) under consent that helps us understand certain diseases or the opinions of healthcare providers. Data collected is that which is necessary to answer questions, and can be sourced from multiple mediums including but not limited to surveys and interviews. Engage often pays an honorarium in exchange for an HCP’s participation.

In these cases, personal data relating to a HCP that can be used to identify or indirectly identify them (including, but not limited to, their name, address, institutional affiliation and other information describing their experience or practice) is Personally Identifiable Information (“PII”) and is required for purposes outlined in the section How We Use Personal Data. If a HCP does not consent to providing their PII, they forego the option to be invited to future research, receive updates, or remuneration.

Engage collects Non-Personally Identifiable Information (“Non-PII”) on HCPs, which is anonymous and may be HCPs’ opinions with regard to disease burden, products, and services. We record PII and Non-PII (together defined as “Survey Data”) on Engage’s proprietary, secure servers.

Patients’ and / or their parents’ / legal guardians’ information 

As part of our work, we have a legitimate interest in collecting information provided to us by patients (“PTs”) or their parents / legal guardian(s) (“LGs”) under consent, that helps us understand the burden of illness, the disease, and their opinions about products or services or other issues of interest. Data can be sourced from surveys, interviews, demographic profiles or other means. Engage often pays an honorarium in exchange for a PT’s or LG’s participation. Any and all compensation is solely for time spent and is in no way tied to the use or recommendation of any product or service that is owned by Engage Health or any third-party.

In order to participate in a specific study, often there any specific criteria established. These criteria are clearly laid out in the invitation to participate in order that potential participants know if a certain project pertains to them or their disease.

In these cases, personal data relating to a PT or LG that can be used to identify or indirectly identify them (including, but not limited to, their name, address, institutional affiliation and other information describing their experience or practice) is Personally Identifiable Information (“PII”) and is required for purposes outlined in the section How We Use Personal Data. If a PT or LG does not consent to providing their PII, they forego the option to be invited to future research, receive updates, or remuneration.

Engage collects Non-Personally Identifiable Information (“Non-PII”) on PTs and LGs, which is anonymous and may be PTs’ or LGs’ opinions with regard to disease burden, products, and services. We record PII and Non-PII (together defined as “Survey Data”) on Engage’s proprietary, secure servers.

Minor patients’ information

We generally only allow participation / provision of information of patients (“PTs”) who are aged 18 years or greater. If PTs are younger than 18 years or are unable to answer for themselves, we allow participation by their parent or legal guardian (“LG”). We do not collect personal data from persons not authorized to give it (e.g. we will not collect a PT’s or LG’s personal data from a friend, cousin, acquaintance, etc.).

Additionally, this Site is not directed toward children under the age of 13, and Engage does not knowingly collect information from children under the age of 13. For more information about our policies with regard to the collection of children’s information, read the section Children’s Privacy.

Other interested parties’ information and the Rare Collective, LLC

As part of our work, we have a legitimate interest in collecting information provided to us by various interested parties (“IPs”) under consent, that helps us understand interest in topics, such as a specific blog post, meetings, events, or forums. Engage collects this information under consent either on its own or from the Rare Collective, LLC, of which Engage is a proud partner.

In these cases, personal data relating to an IP that can be used to identify or indirectly identify them (including, but not limited to, their name, address, institutional affiliation and other information describing their experience or practice) is Personally Identifiable Information (“PII”) and is required for purposes outlined in the section How We Use Personal Data. If an IP does not consent to providing their PII, they forego the option to be invited to future research, receive updates, or remuneration.

Engage collects Non-Personally Identifiable Information (“Non-PII”) on HCPs, which is anonymous and may be HCPs’ opinions with regard to disease burden, products, and services. We record PII and Non-PII (together defined as “Survey Data”) on Engage’s proprietary, secure servers.

The Health Information Portability and Accountability Act (HIPAA (Public Law 104-91)), establishes the US national standards to protect individuals’ personal information and is regulated by the US Department of Health and Human Services (HHS).

Under HIPAA, a “covered entity” is a;

  • Health Care Provider: Any provider of medical or other health services, or supplies, who transmits any health information in electronic format in connection with a transaction for which HHS has adopted standard requirements.
  • Health Plan: Any individual or group plan that provides or pays the cost of health care.
  • Health Care Clearinghouse: A public or private entity that transforms health care information received from another entity into a standard (i.e. standard electronic format or data content), or vice versa.

Under HIPAA, “standard transactions” include;

  • The processing of claims or encounters
  • Remittance advice
  • Eligibility inquiry and response
  • Prior authorization and referral
  • Claims status inquiry and response

Because Engage does not provide any of the services noted above noted under the section that addresses “covered entities” and does not conduct one or more of the standard HIPAA transactions, counsel has determined that Engage is a non-covered entity and therefore is not subject to HIPAA regulations.

However, because certain clientele of Engage may consider themselves covered entities, Engage uses reasonable efforts, including technical, administrative and procedural measures, to protect patient data and privacy in the spirit of HIPAA.

At no time does Engage promote itself as a covered entity under HIPAA.

Engage is storing and processing personal data on servers in its possession (i.e. servers owned and operated solely by Engage) in the United States of America (the “US”) and therefore transfers personal data within the US. While we make every reasonable effort to protect information collected, please be aware there is always some risk involved when submitting data. We cannot guarantee that our survey site, website, and servers are 100% safe from illegal tampering or “hacking”. Any data transmitted over the Internet may be at risk, however, once it is received at Engage and entered into our databases, any data you have submitted has the same protection Engage extends to its own confidential information.

We will retain your personal data for as long as needed or permitted in light of the purpose(s) for which it was obtained and as outlined in this Privacy Policy. The criteria used to determine our retention periods include: (i) the information we share with you; (ii) whether there is a legal obligation to which we are subject; or (iii) whether retention is advisable in light of our legal position (such as in regard to the enforcement of the Site Terms of Use, applicable statutes of limitations, litigation or regulatory investigations).

Details of retention periods for your personal data can be obtained by contacting our Data Privacy Officer at dataprivacyofficer@engagehealth.com. Engage Health destroys or de-identifies personal data that is no longer needed using secure methods. If you revoke your consent or request erasure of your personal data, we will delete your personal data typically within 15 business days, but in no case greater than one month.

GDPR (Regulation EU2016/679), or the General Data Protection Regulation, establishes EU standards to protect the personal data of natural persons, while ensuring free movement of information between Member States.

Under GDPR, a “controller” is the organization directing how the data will be used. This may be Engage or its clients. A “processor” is the organization that processes data at the direction of the “controller”, for example, conduct data analyses. This may be Engage, its clients, or service providers.

Engage has legitimate interests and consent as legal bases for processing personal data of EU citizens. Consistent with GDPR, Engage has established reasonable technical, administrative and procedural measures to ensure data protection, even though storage and processing of data is conducted in the US. The section How We Use Personal Data describes Engage’s processing activities.

The processing of personal data by Engage Health is lawful, fair, and along with data use is implicitly outlined at affirmative consent for a given project – and all prospective research participants have the right to decline participation if they desire.

Engage Health routinely collects personal data that are particularly sensitive, including, but not limited to information regarding racial / ethnic origin, information regarding diagnosis, treatment and other issues related to one or more rare diseases, and other health issues. These data are processed for the purposes of benefit to the respondent, other rare disease patients and / or health research purposes, and are subject to consent at / prior to the time of data collection.

The California Consumer Privacy Act of 2018 (CCPA) goes into effect on January 1, 2020. The CCPA applies to businesses, including Engage, that collect personal information of “consumers.” The Act defines a “consumer” as “a natural person who is a California resident, as defined in Section 17014 of Title 18 of the California Code of Regulations. . .”, and grants “consumers” five new rights respecting their personal information. These rights are reflected in the section Your Rights Related to Information We Collect and Store About You.

“Sale” is defined by CCPA to mean “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information to another business or a third party for monetary or other valuable consideration.” (Cal. Civ. Code § 1798.140(t)(1). Please be aware that Engage does not sell your personal information.

  • Under the code, a sale does not occur where data is disclosed to a “service provider.” Several requirements need to be met for this exception to apply: (1.) the transfer must be necessary to perform a task that has a “business purpose”; (2.) the transfer must take place “pursuant to a written contract” that prohibits the service provider from “selling, retaining, using, or disclosing the personal information”; (3.) the business has provided compliant notice to consumers of the fact that it intends to share with service providers; and (4.) the service provider does not further “collect, sell, or use” the personal information of the consumer except as necessary to perform the “business purpose.” Personal information Engage shares with third-party service providers meets the aforementioned requirements, and are consequently not “sales”;
  • Under the code, a sale does not occur when a consumer intentionally directs or uses a business to disclose the consumer’s personal information. This seems to be the equivalent of controller-to-controller transfers with consent of the data subject under EU data protection law. Engage only shares personal information with non-service provider third-parties at the explicit consent of consumers; and
  • We may aggregate and / or de-identify data about persons, including study responders and visitors to our Site, and share with third-parties. Because aggregated and / or de-identified data is not personally identifying, such actions do not constitute a “sale” of personal information under CCPA;

Again, Engage does not sell personal information as per CCPA.

The Children’s Online Privacy Protection Act (COPPA) defines the term “child” to mean an individual under the age of 13. If you are under the age of 13, you may not use this site or submit to Engage information about yourself including, but not limited to, your name, address, telephone number or e-mail address without the written permission of your parent or legal guardian (Collectively referred to as “LG”). We suggest that you have your LG register if you are interested in Engage’s activities. We do not knowingly collect data from children under the age of 13. If we discover a child under the age of 13 or someone other than a LG, we will remove that information from our databases as soon as possible.

Visitors between the ages of 13 and 18 must obtain permission from their parents or guardian before registering on this website, sending any personally identifiable information, participating in online discussions, or submitting content to this website.

Engage’s website (“Site”) uses a technology called cookies, which is a small data file that a server gives to your browser when you access a website in order to let you access the pages you request and to track the pages visited. Using cookies to track page visits helps us analyze Site usage more accurately. In cases in which cookies are used, we will not collect your personally identifiable information (“PII”) except with your explicit permission.

Please note that linked third-party websites may also use cookies. Engage cannot control the use of cookies by these third-party sites. We also want you to know that when you link from this website to another website, that site may have the ability to recognize that you have come from the Site. If you do not want any other websites to know you have been on this Site, we recommend that you do not use the third-party links we provide. If you have any questions about how third-party sites use cookies, you should contact such third-parties directly.

Please see the sections Data We Collect and Use and How We Use Personal Data if you sign up for participation in health research via our Site. We may track the total number of visitors to our Site, the number of visitors to each page of our Site, the sequence or duration of visitors to each page, anonymized IP addresses, and the domain names of our users’ Internet Services Providers, and we may analyze these data for trends and statistics in aggregated or de-identified forms.

Engage Health may restrict the ability of any visitor to submit content or to access any part of the Site at Engage’s sole discretion.

Engage’s Privacy Policy constitute the complete agreement between the parties with respect to their subject matter and supersede any prior agreement or communication. Engage reserves the right to modify their policies at any time. In the event Engage Health updates or modifies this Privacy Policy, Engage shall endeavor to post such updates or modifications on this website for a period of thirty (30) days following any such modifications. Therefore, you are advised to view this Privacy Policy occasionally, or at least every thirty (30) days. Your continued use of this website subsequent to Engage Health notice of modification of this Privacy and Data Storage Policies Notice shall constitute your acceptance of the modified Privacy Policy.

Any person who desires to see their data, know how their data is being used, or desires that their data is updated or deleted (i.e. the “Right to Be Forgotten”), can do so by contacting our Data Protection Officer via email providing your name and the nature of your request. Such requests will be met to the best of our ability, typically within 15 business days, but in no case greater than one month.

Mr. Steve Stevenson, Data Protection Officer

3265 Lexington Avenue S, Eagan, MN 55121

dataprotectionofficer@engagehealth.com, (651) 994-0510