Washington State Privacy Policy
Effective February 2024
This Consumer Health Data Privacy Policy (“WA Policy”) supplements the information contained in the Citizens Disability™ Privacy Policy (the “Privacy Policy”) made available on the website located at www.citizensdisability.com (the “Site”). The Site is owned and operated by Citizens Disability, LLC (“Company,” “we,” “us” or “our”). This WA Policy applies solely to residents of the State of Washington.
We adopt this Privacy Notice in compliance with the Washington My Health, My Data Act (“MHMDA”) Any terms defined in the MHMDA have the same meaning when used in this WA Policy. Washington Consumers with disabilities who wish to access this WA Policy in an alternative format can contact us by emailing us at: privacy@citizensdisability.com; by calling us at: (888) 757-4011 or (781) 516-7715 or sending us U.S. Mail to: Citizens Disability, P.O. Box 549293 Waltham, MA 02454-9293.
Your rights and choices
The MHMDA provides consumers residing in Washington and consumers whose consumer health data is collected in Washington (“Washington Consumers”, “you”, or “your”) with specific rights regarding their consumer health data.
This WA Policy also explains your rights regarding your consumer health data and how you can exercise those rights. This WA Policy describes the practices of Citizens Disability and its subsidiaries and affiliates (“the Company”, “we”, “us” or “our”) that link to the WA Policy regarding the collection, use, disclosure, sale, and sharing of consumer health data we collect from Washington Consumers.
Scope of this notice
We strive to help consumers achieve their financial goals by providing an array of health insurance products. In doing so, we may collect, use, and disclose consumer health data of Washington Consumers. In this WA Policy, consumer health data has the meaning described below and excludes certain information subject to other laws.
Consumer health data is defined for purposes of this WA Policy and the MHMDA as personal information that is linked or reasonably linkable to a Washington Consumer and that identifies the Washington Consumer’s past, present, or future physical or mental health status.
Personal information is defined for purposes of this WA Policy and the MHMDA as information that identifies or is reasonably capable of being associated or linked, directly or indirectly, with a particular consumer. Personal information includes, but is not limited to, data associated with a persistent unique identifier, such as a cookie ID, an IP address, a device identifier, or any other form of persistent unique identifier.
Consumer health data may include, for example, information collected directly from you if you use certain services available on our sites or information that you voluntarily provide, such as information you provide in response to a questionnaire or survey, as part of a request, or on a form.
We may also collect or receive consumer health data about you through or from our business partners; service providers; marketing partners; and other third parties that perform services for us or for you, or to market our products and services to you. Please see the “Consumers Whose Consumer Health Data We Collect, Use, and Disclose” section of this WA Policy to learn more about how we may collect your consumer health data.
Under the MHMDA and the unique consumer rights described below, consumer health data does not include:
- Publicly available information, such as information from government records, information we reasonably believe you made available to the general public, or unrestricted information you have disclosed or made available;
- De-identified or aggregated consumer information we maintain in deidentified form and do not attempt to reidentify except as required or permitted by law;
- Health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA); and
- Personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (“FRCA”) and the Gramm-Leach-Bliley Act (“GLBA”).
- We separately provide notices required under other state and federal laws, such as GLBA and HIPAA in connection with products and services subject to those laws. Those notices can be found by clicking here.
Overview of Consumer Health Data Practices
Consumer Health Data
We may collect, use, and/or disclose the following types of consumer health data:
- Health conditions, treatments, diseases, or diagnosis. This may include physical characteristics or descriptions, health history, tests, and other medical information, policy and other health insurance information, or sex (including gender, pregnancy or childbirth, and related medical conditions).
- Social, psychological, behavioral, and medical interventions. This may include physical characteristics or descriptions, health history, tests, and other medical information, or policy and other health insurance information, or sex (including gender, pregnancy or childbirth, and related medical conditions).
- Health-related surgeries or procedures. This may include physical characteristics or descriptions, health history, tests, and other medical information, policy and other health insurance information, or sex (including gender, pregnancy or childbirth, and related medical conditions).
- Use or purchase of prescribed medication. This may include physical characteristics or descriptions, health history, tests, and other medical information, policy and other health insurance information, or sex (including gender, pregnancy or childbirth, and related medical conditions).
- Bodily functions, vital signs, symptoms, or measurements of other types of consumer health data. This may include physical characteristics or descriptions, health history, tests, and other medical information, policy and other health insurance information, or sex (including gender, pregnancy or childbirth, and related medical conditions).
- Diagnoses or diagnostic testing, treatment, or medication. This may include physical characteristics or descriptions, health history, tests, and other medical information, policy and other health insurance information, or sex (including gender, pregnancy or childbirth, and related medical conditions).
- Reproductive or sexual health information. This may include personal information relating to seeking or obtaining past, present, or future reproductive or sexual health services, including but not limited to efforts to research or obtain reproductive or sexual health services.
- Biometric data. This may include data that is generated from the measurement or technological processing of an individual’s physiological, biological, or behavioral characteristics and that identifies a consumer, whether individually or in combination with other data, including, but not limited to voiceprints, keystroke, or other physical patterns, and sleep, health, or exercise data.
- Genetic data. This may include any data, regardless of its format, that concerns a consumer’s genetic characteristics, including, but not limited to physical characteristics or descriptions, health history, tests, and other medical information, policy and other health insurance information, sex (including gender, pregnancy or childbirth, and related medical conditions), or genetic information (including familial genetic information).
- Data that identifies a consumer seeking health care services. This may include physical characteristics or descriptions, insurance policy number, health history, tests, and other medical information, policy and other health insurance information, or sex (including gender, pregnancy or childbirth, and related medical conditions).
- Any information that a regulated entity or a small business, or their respective processor, processes to associate or identify a consumer with the data described above that is derived or extrapolated from non-health information (such as proxy, derivative, inferred, or emergent data by any means, including algorithms or machine learning).
- This may include inferences, such as information, data, assumptions, or conclusions derived from facts, evidence, or another source of information or data reflecting your preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, or aptitudes, such as products or website experiences you might be interested in.
The categories of consumer health data may include the following personal information, when collected in connection with your past, present, or future physical or mental health status:
Identifiers
This may include real name, alias, postal address, persistent unique identifiers, cookies and pseudonymous identification number, online identifier, device identifier, Internet Protocol address, email address, account name, Social Security number, passport number, tax identification number, user identification number, or other similar identifiers.
Other personal information
This may include signature, physical characteristics or descriptions, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number and information, credit card number, debit card number, income, tax, ACH, or any other financial information, health history, tests, and other medical information, policy and other health insurance information, health expense preferences, or date of birth.
Characteristics of protected classifications under Federal Law
This may include age, race, color, ancestry, national origin, citizenship, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth, and related medical conditions), sexual orientation, genetic information (including familial genetic information).
Commercial information
This may include records of products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
Internet or other similar network activity
This may include browsing history, search history, or information on a consumer’s interaction with a website, application, or advertisement.
Geolocation data
This may include physical location or movements.
Audio, electronic, or similar information
This may include audio, electronic, or similar information, such as call recordings.
Inferences drawn from other personal information
This may include information, data, assumptions, or conclusions derived from facts, evidence, or another source of information or data reflecting your preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, or aptitudes, such as products or website experiences you might be interested in.
Business purposes
We may collect, use, and/or disclose, and in the preceding 12 months we have collected, used, and/or disclosed, consumer health data for the following business purposes:
A purpose you direct. You direct us to collect, use, and/or disclose your consumer health data.
Marketing to you. For example, this may include determining what products and services you may be interested in; marketing products and services to you; providing insurance product quote information; and screening for insurance product eligibility and suitability.
Enhancing your experience with us on our website. For example, this may include identifying website visits, ad interaction, and search history; recommending insurance products based on preferences; delivering jurisdiction-specific website content; tailoring your experience on our website; and drawing inferences from your consumer health data to tailor your experience on our website and identify the products you might be interested in.
Marketing enhancement. For example, this may include conducting data analytics; reporting lead conversions; optimizing online searching and identifying consumer product interest.
Manage our business relationship. For example, this may include communicating with our business partners; conducting background checks; conducting appointment, licensing, due diligence, contracting, and other onboarding activities; paying and reporting commissions; and administering contracts.
Support our business operations. For example, this may include providing product marketing and sales support; administering and processing product applications and policies; collecting financial information such as income, bank account number, and encrypted credit card number; and supporting other business processes concerning or affected by our business relationships.
Vendor management. For example, this may include administering requests for information/proposals (RFI/RFP); conducting due diligence; monitoring contract compliance and performance; communicating about projects, systems, problems, and other matters relevant to the vendor relationship; and issuing payments.
Legal and regulatory compliance. For example, this may include complying with applicable laws, regulations, and oversight obligations; for quality assurance; for internal and external audits and investigations; engaging with law enforcement and other governmental bodies; for litigation; for compliance with the Company’s policies and procedures, contracts, and oversight obligations; and enforcing contractual obligations and exercising contractual rights.
Merger, Acquisition, and/or Bankruptcy. For example, this may include as part of a merger, acquisition, bankruptcy, or other transaction where a third party assumes control of us.
Our internal purposes. For example, this may include conducting, managing, maintaining, and improving our products and services; business operations and processes; security and privacy practices, which may include, but not be limited to detecting, investigating, and resolving potential vulnerabilities, data security, or privacy incidents; quality assurance; business continuity; systems, networks, applications, and databases, which may include, but not be limited to preventing, finding, and resolving software, hardware, or application bugs and issues.
Sources & recipients of consumer health data
We may collect your consumer health data from and/or disclose your data to, and in the preceding 12 months we have collected from and/or disclosed your consumer health data to, one or more of the following parties:
You
Data providers. This may include relationship management providers; data/lead aggregators; web, call tracking, marketing, and other data analytics providers, market researchers, credit reporting agencies, consumer insight platform organizations, and similar vendors.
Digital marketing providers. This may include social media and other online advertising/marketing providers, digital advertising publishers, and similar vendors.
Marketing providers. This may include our call centers, multi-channel marketers, advertising publishers, and similar vendors.
Advisors. This may include our sales agents, brokers, producers, marketers, and other similar business partners.
Company service providers. This may include companies who are assisting us in fulfilling our contracts and carrying out our business.
Technology providers. This may include communication compliance providers, security vendors, electronic document management vendors, and similar entities.
Affiliates. This may include entities that are under common control with us.
Consumers whose consumer health data we collect, use, and disclose
We collect consumer health data from Washington Consumers who may receive information about products or services. The type of consumer health data we may collect, the sources of that consumer health data, our purposes for collecting, using, and disclosing that consumer health data, and other factors vary depending on the type of consumer you are.
Why we collect your consumer health data
We may collect and/or use your consumer health data for various business purposes, such as for a purpose you direct; marketing to you; enhancing your experience with us on our website; marketing enhancement; supporting our business operations; for our own internal purposes; and for legal and regulatory compliance. We may also collect or use consumer health data for one or more business purposes described in the WA Policy.
What consumer health data we collect
To accomplish these business purposes, and depending on the nature of our specific relationship with you, we may collect personal information that identifies a consumer’s past, present, or future physical or mental health status, including: health conditions, treatment, diseases, or diagnosis; social, psychological, behavioral, and medical interventions; health-related surgeries or procedures; use or purchase of prescribed medication; bodily functions, vital signs, symptoms, or measurements of other types of consumer health data; diagnoses or diagnostic testing, treatment, or medication; reproductive or sexual health information; biometric data; genetic data; data that identifies a consumer seeking health care services; or any information that a regulated entity or a small business, or their respective processor, processes to associate or identify a consumer with the data described above that is derived or extrapolated from nonhealth information (such as proxy, derivative, inferred, or emergent data by any means, including algorithms or machine learning).
How we collect your consumer health data
We may collect this consumer health data from: you if you use certain services available on our sites or voluntarily provide it to us; data providers; advisors; affiliates; marketing providers; digital marketing providers; technology providers; and other service providers, contractors and/or third parties.
Consumer Health Data We Share
We may share all the categories of consumer health data that we collect, as disclosed above.
Your Privacy Choices
Subject to certain legal limitations and exceptions, you may be able to exercise some or all of the following rights:
Right to delete
You may have the right to request that we delete any of your consumer health data collected from you and retained by us (and direct our affiliates, processors, contractors, and third parties to do the same).
We may deny your deletion request if retaining the consumer health data is reasonably necessary for us (or our affiliates, processors, contractor(s), or third parties) to:
- Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any activity that is illegal under Washington state law or federal law;
- Preserve the integrity or security of systems; or
- Investigate, report, or prosecute those responsible for any such action that is illegal under Washington state law or federal law.
- Other legal limitations and exceptions may also apply.
Exercising your rights
How to Submit A Request to Exercise Your Rights
To exercise any of the rights described above, you may submit a request either by clicking here and completing the linked My Health, My Data Rights Request form or by contacting us at the following toll-free number: (888) 757-4011. We will consider only those requests submitted using these two options.
Exercising Your Right to Delete
Only you or your authorized agent may make an authenticated consumer request to delete your consumer health data. If you use an authorized agent to submit an authenticated consumer request on your behalf, we will require you to provide additional information as described below. You may make an authenticated consumer request on behalf of your minor child.
In order to authenticate your identity to process your request, we will request your full name, street address, city, zip code, phone number, and email address. For us to treat your request as an authenticated consumer request, you must:
- Provide sufficient information, commensurate to the type or sensitivity of the information you are requesting, that allows us to reasonably authenticate you are the person about whom we collected personal information or an authorized representative; and
- Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.
We cannot respond to your request or provide you with consumer health data if we are unable to: (a) authenticate your identity or authority to make the request, (b) confirm the personal information we have in our systems relates to you, or (c) locate your information in our systems. If the information you provided us does not match our records, in certain circumstances we may request additional information from you.
In certain circumstances, an authorized agent may submit a rights request for you. An authorized agent is a natural person or business entity you have given permission to submit a request on your behalf. An authorized agent must submit a request using one of two designated methods described above. We must be able to authenticate the authorized agent has the authority to act on your behalf. In order to authenticate the authorized agent’s authority, we generally require evidence of either (i) a valid power of attorney; or (ii) a signed letter containing your name and contact information, the name and contact information of the authorized agent, and a statement by you authorizing the authorized agent to submit an authenticated consumer request on your behalf. Depending on the evidence provided, we may still need to separately reach out to you to confirm the authorized agent has permission to act on your behalf and to authenticate your identity in connection with the request.
Response timing and format
We endeavor to respond to an authenticated consumer request to delete within forty-five (45) days of its receipt. If we require more time (up to 45 additional days), we will inform you of the reason and extension period in writing. We will deliver our written response by mail or electronically, at your option. The response we provide will also explain the reasons we cannot comply with a request, if applicable.
We do not charge a fee to process or respond to your authenticated consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
Changes to our WA Policy
We reserve the right to amend this WA Policy at our discretion and at any time. When we make changes to this WA Policy, we will post the updated WA Policy on the website and update the WA Policy’s effective date. Your continued use of our website following the posting of changes constitutes your acceptance of such changes.