This Privacy Notice describes the policies and practices of AZA Health & Wellness/DocPhyzio regarding the collection and use of your personally identified data. AZA complies with the applicable privacy laws of the United States, California, and the General Data Protection Regulation (EU)(GDPR).
DATA PROTECTION OFFICER
AZA Health & Wellness/DocPhyzio has appointed an internal privacy and data collection officer, located at our Corporate Headquarters in Irvine, CA, as follows:
CONTACT EMAIL: c[email protected]
Definitions of common terms are included at the end of this policy.
AGE OF CONSENT
AZA Health & Wellness/DocPhyzio does not market to minors for any products or services that minors are legally prohibited from buying. However, in the unlikely event a minor requires our products or services, we require parental consent as follows:
- In the U.S. we require parental consent before collecting personal information (PI) for persons under 13 years of age.
- In the EU, we require parental consent before collecting PI for persons under 16 years of age.
Any minor possessing an account with us may request and be granted removal of their account information per the laws and limitations of the State of California and the GDPR.
INFORMATION WE COLLECT
AZA Health & Wellness/DocPhyzio collects and stores any information you enter on our website or give us in any other way. We collect PI about our customers, students, and participants in our Health Risk Assessment programs, including credit card and payment information. We use this information to provide customers, students, and participants with goods and services, including educational services, training content, certifications, and similar offerings.
We also automatically collect information from you via cookie technology on our website, via other technologies, and via electronic communication methods. This may include, among other things, the Internet protocol (IP) address of your computer, login information, email address, location, browser and computer information, cell phone number and carrier information, session data, onsite search information, online behavioral data including click streams, and other usage information.
REASON WE COLLECT THE INFORMATION
AZA Health & Wellness/DocPhyzio needs to collect certain PI to process orders and fulfill contract services. We also have a legitimate interest in understanding how users interact with our website and other communication centers for relevancy of products and services; to address existing and changing customer needs; and to comply with state, federal, and international laws.
USE OF INFORMATION
AZA Health & Wellness/DocPhyzio uses this information to provide customers, students, and participants with goods and services; including educational services, training content, certification, and similar offerings; and to fulfill our contracts with customers, students, and participants. We analyze and use this information for diagnostic purposes, for fraud prevention, to address website user experience, and to improve our offerings. If you sign up for offers for newsletters, we may use your name and email address to inform you of our future offers, similar products, and additional services. You can unsubscribe at any time via phone, email or our website. In some cases, we may use, retain, sell, or disclose a consumer’s information that has been de-identified or aggregated, i.e., anonymized to protect your identity.
We do not disclose personal or privileged information collected or received in connection with an insurance transaction unless the disclosure (1) is authorized in writing by the individual or (2) is necessary for conducting business.
We do not publicly post full social security numbers. Any public display of a social security number will be truncated to the last four digits.
We do not sell your telephone calling pattern records without written consent.
We do not seek medical information for direct marketing purposes without your consent.
We not disclose, without your consent, patient medical information obtained via our services, except to health care entities or other employers that have contracted us to provide said information; or as required by law.
If applicable, we comply with HIPAA regulations, specifically for business associates of health care entities, or as otherwise required by law.
INFORMATION WE SHARE
RETENTION OF INFORMATION
AZA Health & Wellness/DocPhyzio shall retain your information only for as long as is necessary to provide services and to comply with U.S., California, GDPR, and certification agency retention laws. Any services that are subject to U.S. and California medical privacy laws shall be retained for the periods listed in our HIPAA policies. More information on our retention schedule can be obtained from the data protection officer at [email protected].
AZA Health & Wellness/DocPhyzio has Data Protection procedures in place to oversee the effective and secure processing of your PI including physical and administrative safeguards, and technical controls to protect data and prevent reidentification from data that has been de-identified, i.e., anonymized.
We use “privacy by design” guidelines to assess privacy issues at each step of new projects. Privacy Impact Assessments (PIA) are conducted if processing of a user’s data is likely to result in a high risk for the rights and freedoms of an individual located in the EU and as per the laws of the U.S.
We update and test our security technology on an ongoing basis.
We restrict access to your PI to those employees who need to know that information to provide benefits or services to you. In addition, we train our employees about the importance of confidentiality and maintaining the privacy and security of your information.
DATA BREACH NOTIFICATION
AZA Health & Wellness/DocPhyzio will notify you, as required by law, if unencrypted PI was, or is reasonably believed to have been, acquired by an unauthorized person. This PI includes:
- An individual’s name plus one or more of the following: Social Security number, driver’s license or State Identification Card number, financial account numbers, medical information, health insurance, or information collected through an automated license plate recognition system; or
- User ID and password or other specified credentials permitting access to online accounts.
In California, if more than 500 CA residents are affected, we will also notify the Attorney General.
Under the GDPR we will notify the supervisory authority of the U.S. unless:
- We have implemented appropriate technical and organizational protection measures that render the PI unintelligible to any person who is not authorized to access it;
- We take actions subsequent to the PI breach to ensure that the high risk to the rights and freedoms of data subjects is unlikely to materialize; or,
- When notification to each data subject would involve disproportionate effort, in which case alternative communication measures will be used.
DATA STORAGE AND RETENTION
AZA Health & Wellness/DocPhyzio stores your PI on its servers and/or in the cloud with its thirdparty cloud storage partners. These third parties do not use or have access to your PI for any purpose other than cloud storage and retrieval. All data is stored in the United States of America unless otherwise indicated. We retain data for the duration of your business relationship with us; for historical or archiving purposes; and as required by law. At the expiration of the retention period, your PI will be shredded, erased, or modified to protect your identity. We do not retain or disclose information provided for verification of age for any other purpose other than to comply with federal, state, or local law on your rights of erasure and portability, please contact the data protection officer at [email protected].
TRANSFER OF PI FROM THE EU TO THE U.S.
AZA Health & Wellness/DocPhyzio has its headquarters in the United States. Information we collect from you will be processed in the United States. The United States has not sought nor received a finding of “adequacy” from the European Union under Article 45 of the GDPR. Therefore, AZA Health & Wellness/DocPhyzio’ relies on “derogation’s for specific situations” as set forth in Article 49 of the GDPR for transfer of data out of the user country. These include: 1) explicit consent; 2) to perform or complete a contract; 3) as a matter of public interest; 4) to enforce legal rights; or 5) to protect a user incapable of giving consent.
AZA Health & Wellness/DocPhyzio undertakes to safeguard and protect privacy and security of your PI and to use it only as it pertains to your relationship with AZA Health & Wellness/DocPhyzio and this Privacy Notice.
AZA Health & Wellness/DocPhyzio operates, in some cases, as a business associate to health care entities. In this capacity it may create, receive, maintain or transmit protected health information (PHI). As such we comply with HIPAA standards to safeguard PHI as per our contract and as required by law. We require our subcontractors to comply with the same requirements.
Services or Health assessments, that may contain PHI, and which are performed for covered entities in their capacity of employer, will be protected per the terms of our contract agreements with those entities, and applicable rules under HIPAA.
We may disclose PHI for the proper management and administration of our operations or to carry out legal responsibilities, provided 1) the disclosures are required by law; or, 2) if we obtain reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and handled only as required by law or for the purposes for which it was disclosed to the person.
AZA Health & Wellness/DocPhyzio will:
- Not use or disclose protected health information other than as permitted or required by its contracts with covered entities, or as required by law;
- For a period of 6 years, retain Health Assessments and other documents which are necessary for us to continue the proper management and administration of our business, and that of the health entity; or to carry out our legal responsibilities;
- Use appropriate safeguards, and comply with the HIPAA Security Rule with respect to electronic PHI, to prevent use or disclosure of PHI as per our contract and as required by law;
- Report to any covered entity partner any unauthorized use or disclosure of PHI, of which it becomes aware, including breaches of unsecured PHI. In such case, we will include the identification of each individual whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, or disclosed during such breach. Any breach will be reported without unreasonable delay and in no case later than 60 calendar days after discovery;
- Make PHI available to the covered entity in a designated record set as necessary to satisfy covered entity’s obligations under 45 CFR 164.524;
- Make any amendment(s) to PHI in a designated record set as directed or agreed to by the covered entity pursuant to 45 CFR 164.526;
- Maintain and make available the information required to provide an accounting of disclosures to the covered entity as necessary to satisfy covered entity’s obligations under 45 CFR 164.528;
- Maintain designated record sets that are subject to access by individuals. Release of that information will be upon request only by the covered entity;
- Make its internal practices, books, and records available to the Secretary for purposes of determining compliance with the HIPAA Rules; and,
- At the end of our contracts return or destroy all protected health information created, received, or transmitted, on behalf of the covered entity.
- If the business is subject to the CCPA, as a California resident you have the right to request information about how your PI is collected; processed; for what purpose and with whom it is shared. You have the right to receive a response within 45 days subject to one 45-day extension with notice. You may request that information from the data protection officer at [email protected]
- If the business is subject to the CCPA, as a California resident you have the right to restrict use of your PI for marketing purposes.
- If the business is subject to the CCPA, as a California resident you have the right to have PI you provided to us, deleted; subject to restrictions. You may request that information from the data protection officer at [email protected].
- If the business is subject to the CCPA, as a California resident you have the right to know whether the business sells or discloses PI to third parties; and upon request may obtain:
- the categories of PI it has collected about that consumer.
- The categories of sources from which the PI is collected.
- The business or commercial purpose for collecting or selling PI
- The categories of third parties with whom the business shares PI.
- The specific pieces of PI it has collected about that consumer.
You may also Opt out of having your PI sold to third parties. You may request that service from the data protection officer at [email protected]; or to restrict sale of your PI to third parties: Do Not Sell My Personal Information.
Residents of EU Member States have the following additional rights:
- EXPLICIT CONSENT. We do not collect PI on EU residents protected by the GDPR without explicit consent at the time of transaction. If you do not provide consent during any transaction, and such PI is necessary to complete sales or service, the transaction will be cancelled. If the information is not required for this business purpose, or as required under law, completion of your transaction shall not be affected by your refusal to provide explicit consent. Additional processing for archiving in the public interest, statistical purposes, or scientific and historical research are exempt from this provision.
- RIGHT TO OPT OUT. If you are in the European Union, you have certain rights over how we use your data. If you previously gave us consent to process your data for marketing purposes, and would now like that usage restricted. If you previously gave us consent to sell or process your data to third parties, and would now like that usage restricted, or contact the data protection officer at [email protected].
- RIGHT TO BE FORGOTTEN: Once your consent is withdrawn, you have the right to request your PI be erased and no longer used for processing. You may request this action at this link REMOVE MY PERSONAL INFORMATION or via the data protection officer at [email protected].
“Personal Information or Data (PI)” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. PI includes, but is not limited to, the following if it identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household:
- Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
- Any categories of PI described in subdivision (e) of Section 1798.80.
- Characteristics of protected classifications under California or federal law.
- Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
- Biometric information.
- Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.
- Geolocation data.
- Audio, electronic, visual, thermal, olfactory, or similar information.
- Professional or employment-related information.
- Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99).
- Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
- “PI” does not include publicly available information.
“Personally Identifiable Information (PII)” refers to PI that identifies, relates to, describes, is capable of being associated with, or may reasonably be linked, directly or indirectly, with a with a particular consumer or household or that can be used to trace that person’s identity. This includes the first name or first initial and last name combined with any one of the following:
- social security number
- driver’s license number or State identification card number
- account number, credit, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account
- medical information, or,
- health insurance information
“Protected Health Information (PHI)” means individually identifiable health information transmitted or maintained in any form or medium that is held by an entity covered by the Health Insurance Portability and Accountability Act or its business associate; identifies the individual or offers a reasonable basis for identification; is created or received by a covered entity or an employer; and relates to a past, present or future physical or mental condition, provision of healthcare or payment for healthcare to that individual.
“Individually identifiable health information” is information, including demographic data, that relates to:
- the individual’s past, present or future physical or mental health or condition,
- the provision of health care to the individual, or
- the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual.
Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).
“Business associate” is a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information. A “business associate” also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate.
“Aggregate consumer information” means information that relates to a group or category of consumers, from which individual consumer identities have been removed, that is not linked or reasonably linkable to any consumer or household, including via a device. “Aggregate consumer information” does not mean one or more individual consumer records that have been de-identified.
“Biometric information” means an individual’s physiological, biological or behavioral characteristics, including an individual’s deoxyribonucleic acid (DNA), that can be used, singly or in combination with each other or with other identifying data, to establish individual identity. Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.
“De-identified” means information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer, provided that a business that uses de-identified information:
- Has implemented technical safeguards that prohibit reidentification of the consumer to whom the information may pertain.
- Has implemented business processes that specifically prohibit reidentification of the information.
- Has implemented business processes to prevent inadvertent release of deidentified information.
- Makes no attempt to reidentify the information.
CHANGES AND UPDATES TO THE PRIVACY NOTICE
We reserve the right to amend the Privacy Notice and Conditions of Use at any time, for any reason, without notice to you, other than the posting of the amended Privacy Notice and Conditions of Use at this Site.