Health Data Privacy Policy
For Employer Groups Only
Welcome to our Washington Consumer Health Data Privacy Policy
This Washington Consumer Health Data Privacy Policy provides information regarding how UnitedHealth Group and its affiliates and subsidiaries, including United Health Group Incorporated, United Healthcare Services, Inc., and Optum, Inc. (collectively, the “UnitedHealth Group Companies,” “we,” “us,” “our,” or “Company”) process consumer health data subject to Washington’s My Health My Data Act (“WMHMDA”).
To what data does this Policy apply?
This Policy applies, subject to several exceptions, to personal information that is linked or reasonably linkable to you and that identifies your past, present or future physical or mental health status within the meaning of the WMHMDA. It applies only if you are:
- A resident of Washington; or
- An individual about whom information is collected in Washington.
We refer in this Policy to this data as “Washington consumer health data.”
Note that this Policy does not apply to personal information that is not subject to the WMHMDA, including to information that is specifically exempted from the WMHMDA, which includes, among other things, protected health information subject to the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations.
Additional information relating to how we process data not subject to the WMHMDA is available in the Online Services Privacy Policy (OSPP) available online. As a courtesy, we have highlighted additional sections of the OSPP to direct you in finding such information.
What Washington consumer health data do we collect?
We collect Washington consumer health data in connection with our services and products and the type of Washington consumer health data depends on the specific service or product offering that you use or receive and your interaction with us. Examples of Washington consumer health data that we collect may include:
- information about your health-related conditions, symptoms, status, diagnoses, testing, or treatments (including surgeries, procedures, use or purchase of medications, or other social, psychological, behavioral, and medical interventions);
- measurements of bodily functions, vital signs, symptoms, or health characteristics, steps and other physical activity data (e.g., swimming, biking, burned calories, heart rate), activity and fitness time data, sleep data, nutrition data, mindfulness data, blood pressure, pulse and heart rate data, weight tracking data (e.g., body fat percentage, weight, height, body mass index, and other body mass information), blood glucose data, blood oxygen levels data, and body temperature data;
- biometric data, such as your fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait or other physical patterns and other imagery from which an identifier template can be extracted;
- information regarding gender-affirming care;
- information on reproductive or sexual health;
- genetic data;
- precise geolocation information that could reasonably indicate your attempt to acquire or receive health services or supplies;
- information that could identify your attempt to seek health care services or information (e.g., we may collect your search queries on our websites and mobile apps, which may include queries concerning health-related topics); and
- other information that may be used to infer or derive data related to the above or other health information.
Washington consumer health data does not include data related to the shopping habits or interests of a consumer, where that information is not used to identify the specific past, present or future health status of the consumer. For example, if you search for or shop for health-related items on one of our sites or read an article about a health-related condition or service, we do not consider associated data consumer health data where it is not used to infer or identify your specific past, present or future health status.
How do we use your Washington consumer health data?
We primarily collect and use Washington consumer health data as necessary to provide you with the requested products or services. This may include, as further described in the section on How We Use Your Information in the OSPP, the following:
- provide and maintain our services;
- communicate with you;
- troubleshoot and improve our services;
- personalize your experiences;
- authenticate your identity;
- essential business operations that support the provision of our products and services; and
- comply with legal obligations and respond to legal process.
We may collect and use Washington consumer health data for other purposes for which we obtain your consent as required by the WMHMDA. This may include, as further described in the section on How We Use Your Information in the OSPP, the following:
- marketing purposes;
- surveys;
- the purposes described in the consent; and
- any other lawful purpose for which we obtain your consent.
We may also collect and use Washington consumer health data to protect the Company, our users, and the public, such as to:
- prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any activity that is illegal under Washington state law or federal law;
- preserve the integrity or security of systems; and
- investigate, report, or prosecute those responsible for any such action that is illegal under Washington state law or federal law.
We may deidentify or anonymize Washington consumer health data so that it cannot reasonably be reidentified by us or by another person, and we may use this deidentified data for any reason permitted by applicable law.
How do we share your Washington consumer health data?
We may share each of the categories of Washington consumer health data described in this Policy as necessary to provide you with a product or service you request, with your consent, or for certain security-related purposes, as described above and as described further in the section on How We Share Your Information in the OSPP, such as:
- with our subsidiaries and affiliates;
- with service providers; and
- to facilitate a business transfer.
Sources of Washington Consumer Health Data
As described further in the section on What Information We Collect About You in the OSPP, we collect your information, which may include your Washington consumer health data, directly from you, automatically as you interact with our websites and mobile applications, and from other third party or public sources. The specific sources of Washington consumer health data depend on the service or product offering that you use and your interaction with us.
Third Parties with Which We Share Washington Consumer Health Data
As necessary for the purposes described above, we share Washington consumer health data with the following categories of third parties:
- UnitedHealth Group Companies;
- service providers;
- parties to a business transfer;
- third parties, as required or expressly permitted by law, such as government agencies and law enforcement in response to legal process or other third parties as necessary to protect the Company, our users, and the public;
- other third parties as necessary to provide the services or products you requested;
- financial institutions and payment processors when you make a purchase or enter into a financial transaction;
- other users and individuals at your direction; and
- the public via voluntary collaboration areas.
We will not sell Washington consumer health data unless we have a separate written authorization from you to do so.
By default, when you use our online services, we will not share Washington consumer health data to third parties so those third parties can collect Washington consumer health data over time and across different websites or online services. We will only share this data when we have a separate written authorization from you to do so. Nonetheless, please note that third parties may still be able to collect consumer health data from you over time and across different websites depending on your browser, browser add-ons, and permissions you set on your device. Data collected by those third parties is unrelated to our collection of Washington consumer health data from you, and we recommend reviewing those third parties’ privacy notices for more information about their collection methods to opt of such collection.
Your Rights Under WMHMDA
Under the WMHMDA, subject to certain exceptions, you may have the right to access or delete Washington consumer health data about you or receive a list of third parties and affiliates with whom your Washington consumer health data was shared or sold (with authorization). You also may have the right, subject to certain exceptions, to withdraw consent relating to the use, sharing, or selling (with authorization) of your Washington consumer health data. To exercise these rights, you may submit a request through our online webform here. You may be required to submit proof of your identity for these requests to be processed. We will not be able to comply with your request if we are unable to confirm your identity. You may designate an authorized agent to make a request on your behalf subject to proof of identity and authorization.
If you have questions about this Policy or would like to make a complaint, you can contact us by email at uhg_privacy_office@uhg.com.
Last Updated: March 31, 2024
Consumer Health Data Privacy Policy
This Consumer Health Data Privacy Policy provides information regarding how UnitedHealth Group and its affiliates and subsidiaries, including United Health Group Incorporated, United Healthcare Services, Inc., and Optum, Inc. (collectively, the “UnitedHealth Group Companies”, “we”, “us”, “our”, or “Company”) process “consumer health data” subject to certain consumer health data privacy laws.
To what data does this Policy apply?
This Policy applies to our products or services that collect personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present or future physical or mental health status within the meaning of consumer health data privacy laws (“consumer health data”).
This Policy applies only to consumers who:
- Reside in or have their data processed in a state with a consumer health data privacy law. As of the last updated date of this Policy, this consists of Nevada.
- Engage with a product or service only in an individual or household context, and not in an employment context or as an agent of a government entity.
- Engage with a product or service that is not regulated by another federal or state privacy law that is specifically exempted from consumer health data privacy laws.
- For example, products or services that are subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations or are offered by financial institutions or affiliates regulated by the Gramm-Leach-Bliley Act (GLBA) are not covered by this consumer health data privacy policy. We separately provide notices required under other state and federal laws, such as HIPAA and GLBA in connection with products and services subject to those laws.
Additional information relating to how we process data that is not subject to consumer health data privacy laws is available in the Online Services Privacy Policy (OSPP) and other privacy notices available online. As a courtesy, we have highlighted additional sections of the OSPP to direct you in finding such information.
What consumer health data do we collect?
The type of consumer health data we collect depends on the specific service or product offering that you use or receive and your interaction with us. Examples of consumer health data that we collect may include:
- information about your health-related conditions, symptoms, status, diagnoses, testing, or treatments (including surgeries, procedures, use or purchase of medications, or other social, psychological, behavioral, and medical interventions);
- measurements of bodily functions, vital signs, symptoms, or health characteristics, steps and other physical activity data (e.g., swimming, biking, burned calories, heart rate), activity and fitness time data, sleep data, nutrition data, mindfulness data, blood pressure, pulse and heart rate data, weight tracking data (e.g., body fat percentage, weight, height, body mass index, and other body mass information), blood glucose data, blood oxygen levels data, and body temperature data;
- biometric data, such as your fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait or other physical patterns and other imagery from which an identifier template can be extracted;
- information regarding gender-affirming care;
- information on reproductive or sexual health;
- genetic data;
- precise geolocation information that could reasonably indicate your attempt to acquire or receive health services or supplies;
- information that could identify your attempt to seek health care services or information (e.g., we may collect your search queries on our websites and mobile apps, which may include queries concerning health-related topics) when it is used to identify the specific past, present or future health status of the consumer; and
- other information that may be used to infer or derive data related to the above or other health information.
Consumer health data does not include data related to the shopping habits or interests of a consumer, where that information is not used to identify the specific past, present or future health status of the consumer. For example, if you search for or shop for health-related items on one of our sites or read an article about a health-related condition or service, we do not consider associated data consumer health data where it is not used to infer or identify your specific past, present or future health status.
How do we use your consumer health data?
We primarily collect and use consumer health data as necessary to provide you with the requested products or services. This may include, as further described in the section on How We Use Your Information in the OSPP, the following:
- provide and maintain our services;
- communicate with you;
- troubleshoot and improve our services;
- personalize your experiences;
- authenticate your identity;
- essential business operations that support the provision of our products and services; and
- comply with legal obligations and respond to legal process.
We may collect and use consumer health data for other purposes for which we obtain your consent as required by consumer health privacy law. This may include, as further described in the section on How We Use Your Information in the OSPP, the following:
- marketing purposes;
- surveys;
- the purposes described in the consent; and
- any other lawful purpose for which we obtain your consent.
We may also collect and use consumer health data to protect the Company, our users, and the public, such as to:
- prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any activity that is illegal under state law or federal law;
- preserve the integrity or security of systems; and
- investigate, report, or prosecute those responsible for any such action that is illegal under state law or federal law.
We may deidentify or anonymize consumer health data so that it cannot reasonably be reidentified by us or by another person, and we may use this deidentified data for any reason permitted by applicable law.
How do we share your consumer health data?
We may share each of the categories of consumer health data described in this Policy as necessary to provide you with a product or service you request, with your consent, or for certain security-related purposes, as described above and as described further in the section on How We Share Your Information in the OSPP, such as:
- with our subsidiaries and affiliates;
- with service providers; and
- to facilitate a business transfer.
Sources of Consumer Health Data
As described further in the section on What Information We Collect About You in the OSPP, we collect your information, which may include your consumer health data, directly from you, automatically as you interact with our websites and mobile applications, and from other third party or public sources. The specific sources of consumer health data depend on the service or product offering that you use and your interaction with us.
Third Parties with Which We Share Consumer Health Data
As necessary for the purposes described above, we share consumer health data with the following categories of third parties:
- UnitedHealth Group Companies;
- service providers;
- parties to a business transfer;
- third parties, such as government agencies and law enforcement in response to legal process or other third parties as necessary to protect the Company, our users, and the public, and only as required or expressly permitted by law;
- other third parties as necessary to provide the services or products you requested;
- financial institutions and payment processors when you make a purchase or enter into a financial transaction;
- other users and individuals at your direction; and
- the public via voluntary collaboration areas.
We will not sell consumer health data unless we have a separate written authorization from you to do so.
By default, when you use our online services, we will not share consumer health data to third parties so those third parties can collect consumer health data over time and across different websites or online services. We will only share this data when we have a separate written authorization from you to do so. Nonetheless, please note that third parties may still be able to collect consumer health data from you over time and across different websites depending on your browser, browser add-ons, and permissions you set on your device. Data collected by those third parties is unrelated to our collection of consumer health data from you, and we recommend reviewing those third parties’ privacy notices for more information about their collection of consumer health data and methods to opt of such collection.
Your Rights with Respect to Consumer Health Data
Subject to certain exceptions, you may have the right to access or delete your consumer health data about you or receive a list of third parties and affiliates with whom your consumer health data was shared or sold (with authorization). You also may have the right, subject to certain exceptions, to withdraw consent relating to the use, sharing, or selling (when authorized) of your consumer health data. To exercise these rights, you may submit a request through our online webform here. You may be required to submit proof of your identity for these requests to be processed. We will not be able to comply with your request if we are unable to confirm your identity. You may designate an authorized agent to make a request on your behalf subject to proof of identity and authorization.
Updates to This Consumer Health Data Privacy Policy
If we make material changes to this Policy, we will inform you by, at minimum, posting an updated notice on this page with an updated Last Updated Date.
If you have questions about this Policy or would like to make a complaint, you can contact us by email at uhg_privacy_office@uhg.com.
Last Updated: March 31, 2024