Last modified: April 8, 2021

CityHealth, a medical corp. (“CityHealth” “we,” “our,” or “us”) is committed to protecting your privacy.

You and your data are not our product. Our business is your health, not your data. We do not sell your data.

To understand how CityHealth protects your privacy, we suggest that you start by reading our Privacy Overview, which is a summary of our privacy protections as represented by this document. The Privacy Overview is organized to present answers for privacy concerns that are most regularly discussed with us, and it also links to our full Privacy Policy below. We recommend that you carefully review the full policy.

Privacy Overview

Keeping Your Data Yours

Do we sell personal information? No

Do we sell Protected Health Information (“PHI”)? No

Do we sell aggregate or de-identified healthcare information? No

Do we use Protected Health Information (“PHI”) for advertising or marketing purposes? No

Do we delete personal information received by our Website upon request? Yes, where allowed by law.

Respecting Your Protected Health Information

Do we employ protections specific to Protected Health Information (“PHI”)? Yes

Do we abide by healthcare laws for the preservation of healthcare information? Yes

Do we share healthcare information with your employer or your school? Only with your explicit, signed, authorization.

Do we delete healthcare information collected from our Website and Application upon request? Yes, where allowed by law.

Do we allow you to download, receive copies of, and where appropriate make corrections to your Protected Health Information (“PHI”)? Yes

Our Privacy Tooling, Your Privacy Choices

Is your healthcare data, your Protected Health Information (“PHI”), protected by default? Yes.

Do we provide the same stringent protections for all users, from individuals to large enterprises? Yes

Do we allow users to opt-out of receiving advertising or marketing content? Yes

Do we delete non-healthcare information collected from our Website upon request? Yes, where allowed by law.

Do we use non-healthcare information collected from our Website for advertising or marketing purposes? Yes

Do we allow users to opt-out of receiving targeted advertising or marketing content? Yes

Do we allow users to opt-out of receiving CityHealth promotional emails? Yes

Tracking Technologies, Analytics, and Customer Engagement

Do we use Cookies (or browser cookies) to receive and store certain types of information? Yes

Do we allow users to refuse to accept browser cookies by activating the appropriate setting in their web browser or mobile device? Yes

Do we use web analytics services to help us analyze your use of our Website, and to help us identify and address technical issues? Yes

Do we use customer engagement platforms to help us improve our services? Yes.

Do we allow users to opt-out of receiving targeted advertising or marketing content? Yes

1. Introduction

CityHealth, a medical corp. (“CityHealth,” “we,” “our,” or “us”) respects your privacy, and we are committed to protecting it through our compliance with this policy and also through our compliance with our Notice of Privacy Practices (“HIPAA Privacy Practices”, “Notice of HIPAA Privacy Practices”).

This Privacy Policy (our “Privacy Policy”) describes the types of information we may receive from you or that you may provide when you visit the website cityhealthuc.com, norcalcovid19testing.com or cityhealth.com (our “Website”) and the CityHealth applications (collectively, our “Application”) and our practices for collecting, using, maintaining, protecting, and disclosing that information.

This Policy does not define how we ensure our adherence to Federal and State laws regarding your Protected Health Information, including the Health Insurance and Portability Act of 1996 (“HIPAA”). Our policies regarding the processing of your Protected Health Information (“PHI”) are covered in our Notice of Privacy Practices (“HIPAA Privacy Practices”). Our HIPAA Privacy Practices define how we preserve the privacy of your Protected Health Information, and you should refer to that document, not this one, regarding all processes associated with your healthcare records and other PHI.

CityHealth websites and applications, including cityhealthuc.com, cityhealth.com, or norcalcovid19testing.com that do not require secure accounts and authentication, do not host Protected Health Information (“PHI”). Our websites and applications that do not host PHI are available to everyone on the internet, and represent information made generally available by us, and these sites receive information made available by visitors and users.

While it is important to understand the difference between the content generally exchanged between us and users of our websites and applications that do not require you to have an account, and the information shared by, and with, CityHealth through our private sites and applications that require authorized accounts, for all personal information you share with us the following holds true:

We do not sell any personal information that may have been received by any CityHealth websites or applications you may have visited or otherwise used.

Furthermore, we have committed that:

In addition to these protections that we provide for all data, we do also employ a great number of additional privacy measures and restrictions specific to your PHI as detailed in our HIPAA Privacy Practices. Please reference that policy for information about the care and handling of your Protected Health Information.

This Privacy Policy applies to information that is not Protected Health Information, and which we may collect:

This policy does not apply to information collected by:

Please read this document carefully to understand our policies and practices regarding your information that is not Protected Health Information, and how we will treat it. If you do not agree with our policies and practices, your choice is not to use our Website and Applications. By accessing or using our Website and/or Application, you agree to this Privacy Policy. This Privacy Policy may change from time to time (see Changes to Our Privacy Policy). Your continued use of our Website or Application after we make changes is deemed to be acceptance of those changes, so please check this Privacy Policy periodically for updates.

2. Children Under the Age of 18

If you are under the age of eighteen (18) and wish to create an account with CityHealth, your parent or legal guardian must create the account, submit your Personal Data, and agree to these Terms of Use on your behalf. If you are under the age of 13, you may only use our services or access our Website or Application with the supervision and consent of your parents or legal guardians, including the Provider consultation services. If we learn that we have collected personal information from someone under the age of 13 that was not provided with the supervision and consent of the minor’s parents or legal guardian, we will promptly delete that information. If you believe we have impermissibly collected personal information from someone under the age of 13, please contact us at [email protected] or call us at 1 (888) 981-7716.

3. Information We Collect About You and How We Collect It

Generally

We collect several types of information from and about users (collectively, “Personal Data”) of our Website and Application that do not require you to have an account. As noted above, all information collected from our websites and applications that do require accounts and secure authentication, and all healthcare data, is considered Protected Health Information by CityHealth and you should refer to our HIPAA Privacy Practices to understand our care and handling of that information. This policy describes our processing of Personal Data that is not PHI, but which may include information:

We collect this information:

Information You Provide to Us

The information we collect on or through our Website or through our Application that do not require you to have an account includes:

You also may provide information to be published or displayed (hereinafter, “posted”) on public areas of the Website or Application or transmitted to other users of the Website or Application or third parties (collectively, “User Contributions”). Your User Contributions are posted on our Website or Application and transmitted to others by your own actions, and at your own risk. Although we limit access to certain pages, please be aware that no security measures are perfect or impenetrable. Additionally, we cannot control the actions of other users of the Website and Application with whom you may choose to share your User Contributions. Therefore, we cannot and do not guarantee that your User Contributions will not be viewed by unauthorized persons.

Information We Collect Through Automatic Data Collection Technologies

As you navigate through and interact with our Website and Application, we may use automatic data collection technologies to collect certain information about your equipment, browsing actions, and patterns, specifically:

The information we collect automatically may include Personal Data or we may maintain it or associate it with Personal Data we collect in other ways or receive from third parties. We will not share any of your Protected Health Information (“PHI”) with third parties except as detailed in our HIPAA Privacy Practices. Our use of automatic data collection technologies defined in this policy does not change any of the protections applied to your PHI and you should refer to our HIPAA Privacy Practices and not this document to understand how your PHI is protected. We employ automatic data collection technologies to help us to improve our Website and Application and to deliver a better and more personalized service as thy enable us to:

The technologies we use for this automatic data collection may include:

4. How We Use Your Information

CityHealth will use and disclose Protected Health Information only as permitted in CityHealth’s HIPAA Privacy Practices or in agreements with other medical providers, including your own medical provider (if you do not use a CityHealth Provider) and we only collect the PHI we need to fully perform our services and to respond to you or your Provider. The care and handling of PHI, whether by CityHealth (or your own medical provider if you do not use a CityHealth Provider) must be defined by a Notice of Privacy Practices (“HIPAA Privacy Practices”) describing the collection, use, and disclosure of your health information. If you do not use a CityHealth Provider, please ask your provider to provide you with their Notice of Privacy Practices (“HIPAA Privacy Practices”).

To understand how CityHealth may use Protected Health Information (“PHI”) please refer to our HIPAA Privacy Practices and not this Policy. The CityHealth HIPAA Privacy Practices do not apply to healthcare workers that are not provided by CityHealth

For clarity, our use of any information we collect that constitutes Protected Health Information (“PHI”) under the U.S. Health Insurance Portability and Accountability Act (“HIPAA”) is described in our HIPAA Privacy Practices and not this Policy.

Data we receive that is not PHI may include information that we collect about you or that you provide to us, including any Personal Data used:

We will not use Protected Health Information (“PHI”) for any purpose that is not defined in our HIPAA Privacy Practices, including advertising or marketing purposes, without your consent.

We may use your information that is not PHI to contact you about goods and services that may be of interest to you, including through newsletters. If you wish to opt-out of receiving such communications, you may do so at any time by clicking unsubscribe at the bottom of these communications, by visiting your Account page, or by reaching out to our support team available from [email protected] For more information, see Choices About How We Use and Disclose Your Information.

5. Disclosure of Your Information

We do not sell Personal Data. We do not share or otherwise disclose your Personal Data for purposes other than those outlined in this Privacy Policy. We will not use Protected Health Information (“PHI”) for any purpose that is not defined in our HIPAA Privacy Practices, including advertising or marketing purposes, without your consent. We may disclose aggregated information about our users, and information that does not identify any individual, without restriction.

We may disclose Personal Data we collect, or you provide, that is not Protected Health Information as described in this Privacy Policy:

We may also disclose your Personal Data:

6. Choices About How We Use and Disclose Your Information

We do not sell Personal Data. We do not share or otherwise disclose your Personal Data for purposes other than those outlined in this Privacy Policy. We will not use Protected Health Information (“PHI”) for any purpose that is not defined in our HIPAA Privacy Practices, including advertising or marketing purposes, without your consent.

We do not control the collection and use of your Personal Data that is not Protected Health Information defined in our HIPAA Privacy Practices, and which may be collected by third parties as described above in the Disclosure of Your Information section of this Policy. These third parties may aggregate the information they collect with information from their other customers for their own purposes.

We strive to provide you with choices regarding the Personal Data you provide to us. We have created mechanisms to provide you with control over your Personal Data:

7. Your Rights Regarding Your Information and Accessing and Correcting Your Information

You can review and change your Personal Data by logging into our Website or Application and visiting either the Settings or Account sections of our Application or Website. You may also notify us through the Contact Information below of any changes or errors in any Personal Data we have about you to ensure that it is complete, accurate, and as current as possible or to delete your account. We cannot delete your personal information except by also deleting your account with us. We may also not be able to accommodate your request if we believe it would violate any law or legal requirement or cause the information to be incorrect.

With respect to any Protected Health Information that CityHealth may obtain, you have certain rights under HIPAA to access your data, to restrict use and disclosure of it, to request communication methods, to request corrections to your data, to receive an accounting of disclosures and to receive notice of any breach. To understand your rights regarding your Protected Health Information please see our HIPAA Privacy Practices, or if you do not use a CityHealth Provider, please ask your Provider for their Notice of Privacy Practices (“HIPAA Privacy Practices”), for more information.

8. Do Not Track Signals

We also may use automated data collection technologies to collect information about your online activities over time and across third-party websites or other online services (behavioral tracking). Some web browsers permit you to broadcast a signal to websites and online services indicating a preference that they “do not track” your online activities. At this time, we do not honor such signals, and we do not modify what information we collect or how we use that information based upon whether such a signal is broadcast or received by us.

9. Data Security

We have implemented measures designed to secure your Personal Data from accidental loss and from unauthorized access, use, alteration, and disclosure. We use encryption technology for information sent and received by us. We also employ other security practices, such as data segmentation, access log collection, automated monitoring, and other security controls.

The safety and security of your information also depends on you. Where you have chosen a password for the use of our Website or Application, you are responsible for keeping this password confidential. We ask you not to share your password with anyone.

Unfortunately, the transmission of information via the Internet is not completely secure. Although we work diligently to try and protect your Personal Data, we cannot guarantee the security of your Personal Data transmitted to our Website or on or through our Application. Any transmission of Personal Data is at your own risk. We are not responsible for circumvention of any privacy settings or security measures contained on the Website, in your operating system, or in the Application.

10. California Residents

CityHealth has committed to honor the terms of the California Consumer Privacy Act of 2018 (CCPA) in the care and handling of your Personal Data that is not Protected Health Information protected by other laws. The CCPA expressly excludes personal information collected, processed, sold, or disclosed pursuant to certain sector-specific privacy laws, including medical information governed by the California Confidentiality of Medical Information Act (CMIA), protected health information collected by a covered entity or business associate governed by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), or a provider of health care governed by the CMIA or covered entity governed by HIPAA to the extent the provider or covered entity maintains patient information in the same manner as medical information or protected health information under the CMIA or HIPAA, respectively. This Policy does not define how we ensure our adherence to Federal and State laws regarding your Protected Health Information, including the Health Insurance and Portability Act of 1996 (“HIPAA”). Our policies regarding the processing of your Protected Health Information (“PHI”) are covered in our Notice of Privacy Practices (“HIPAA Privacy Practices”). Our HIPAA Privacy Practices define how we preserve the privacy of your Protected Health Information, and you should refer to that document, not this one, regarding all processes associated with your healthcare records and other PHI.

For clarity, Protected Health Information (“PHI”) collected by CityHealth falls under the CCPA exclusions, and is generally exempt from the CCPA, and is instead protected by our adherence to our HIPAA Privacy Practices.

The CCPA does provide you with rights regarding your data that is not covered by healthcare related exemptions, the handling of which is defined in our HIPAA Privacy Practices.

Your CCPA Granted Rights and How to Exercise Them

Your right to know the personal information we collect from you and how we may share or otherwise disclose it.

The CCPA gives you the right to know the personal information we may have collected about you, and you may request that we disclose this to you by contacting us through the channels defined in the Contact Information section of this document. This CCPA protected right will be upheld once we receive and confirm the validity of your request.

CityHealth does not sell Personal Data. We do not share or otherwise disclose your Personal Data for purposes other than those outlined in this Privacy Policy. We will not use Protected Health Information (“PHI”) for any purpose that is not defined in our HIPAA Privacy Practices. Protected Health Information (“PHI”) collected by CityHealth falls under the CCPA exclusions, and is generally exempt from the CCPA, and is instead protected by our adherence to our HIPAA Privacy Practices. The CCPA does apply to Personal Data that we collect, or you provide, as described in this Privacy Policy, and which we may disclose. You have the right to request that we provide a means to download your personal information that we have collected that is not exempt from the CCPA. If you make such a request regarding data that is not PHI exempted from the CCPA, we will include a list of the categories of personal information that we may have disclosed about you, as well as the categories of third parties to whom your personal information may have been disclosed. To understand how we protect your PHI that is exempted from the CCPA, please refer to our HIPAA Privacy Practices.

Contacting Us to Request a CCPA Disclosure

You may contact us through the channels defined in the Contact Information section of this document to request a disclosure of your Personal Data that is protected by the CCPA.

The CCPA ensures that you have the right to make a request for such a disclosure twice in any 12-month period. CityHealth will make the requested disclosure within 45 days of receiving your request, unless we determine the need for, and then request an extension. If we determine that we have a reasonably defined need for a 45-day extension, we will notify you of the extension within the initial 45-day period.

Right of deletion

You have the right to request that we delete your personal information. Any such request is subject to certain exceptions, including Federal and State laws regarding your Protected Health Information, as with the Health Insurance and Portability Act of 1996 (“HIPAA”). Upon receipt of a deletion request from you, we will validate the request, and then delete your personal information, as well as direct our service providers to delete any of your personal information, unless an exception applies. To request deletion of personal information protected by the CCPA, you may contact us through the channels defined in the Contact Information section of this document.

Right to non-discrimination

You have the right not to receive any discriminatory treatment as a result of any choice or action on your part to exercise your privacy rights as provided by the CCPA.

Disclosures About Your Personal Information Protected by CCPA

Categories of information we collect and disclose for a business purpose

The following categories of personal information, as defined in the CCPA, are collected from you in connection with your use of the CityHealth Website and Application. To understand our collection, use, and disclosure of your Protected Health Information (“PHI”) please refer to our HIPAA Privacy Practices and not this document. Protected Health Information (“PHI”) collected by CityHealth falls under the CCPA exclusions, and is generally exempt from the CCPA. Personal Information that we may have disclosed in the last twelve months that does not fall under protections documented in our HIPAA Privacy Practices, and information which is not exempt from the CCPA, includes the following categories of personal information used for a business purpose:

According to California law, the CCPA does not apply to, and personal information does not include:

Other disclosures about your personal information

This Policy does not define how we ensure our adherence to Federal and State laws regarding your Protected Health Information, including the Health Insurance and Portability Act of 1996 (“HIPAA”). Our policies regarding the processing of your Protected Health Information (“PHI”) are covered in our Notice of Privacy Practices (“HIPAA Privacy Practices”). This Privacy Policy defines additional disclosures about your personal information that CCPA requirements ensure are provided to you. Please read the whole of this Privacy Policy and also our HIPAA Privacy Practices to understand the various sources including our Website and Application from which we collect your personal information, the business or commercial purposes for which we collect your personal information, and the categories of third parties with whom we share your personal information.

How to contact us

If you have questions about your rights or our disclosures under the CCPA, you may reach us through the channels defined in the Contact Information section of this document.

Further, note that information regarding CityHealth job applicants, employees, owners, directors, officers, or contractors, emergency contact information from the same, and information necessary for CityHealth to administer benefits to the same, and information CityHealth obtains from a consumer acting on behalf of a company and whose communications with CityHealth occur solely within the context of CityHealth conducting due diligence regarding, or providing or receiving a product or service to or from another company, are generally exempt from much of CCPA, as different rules, laws, and regulations apply to your Protected Health Information. To understand your rights regarding your Protected Health Information please see our HIPAA Privacy Practices, or if you do not use a CityHealth Provider, please ask your Provider for their Notice of Privacy Practices (“HIPAA Privacy Practices”), for more information. If you have questions about any of the foregoing, please contact us using the information set forth below under Contact Information.

11. Changes to Our Privacy Policy

We will not weaken the privacy protections applied to your Personal Data as defined in this Privacy Policy without first notifying you. We reserve the right to make changes to this Privacy Policy at any time. It is our policy to post any changes we make to our Privacy Policy on this page with a notice that the Privacy Policy has been updated on the Website’s home page or the Application’s home screen. If we make material changes to how we treat our users’ Personal Data, we will notify you by sending email to the email address specified in your account or through a notice on the Website’s home page or the Application’s home screen. To understand your rights regarding your Protected Health Information please see our HIPAA Privacy Practices, or if you do not use a CityHealth Provider, please ask your Provider for their Notice of Privacy Practices (“HIPAA Privacy Practices”), for more information. The date this Privacy Policy was last revised is identified at the top of the page. You are responsible for ensuring we have an up-to-date active and deliverable email address for you, and for periodically accessing the Application or visiting our Website and reviewing this Privacy Policy to check for any changes.

12. Contact Information

If you have any questions, concerns, complaints or suggestions regarding our Privacy Policy or otherwise need to contact us, you may contact us at the contact information below or through the “Contact Us” page on our Website or in the Application.

How to Contact Us:

CityHealth, a Medical Corp.

Telephone: 1 (888) 981-7716

Email: [email protected]