Withings Medical Group
Privacy Policy
Withings Medical Group respects your right to privacy. As used in this Privacy Policy, "Withings Medical Group", "we", "us" or "our" means Withings Medical Group PA and, where appropriate, its affiliated professional entities organized to provide clinical services in the states in which we operate.
This Privacy Policy discloses how we gather, use and disclose information about you when you access or use our website located at withings.com/medical (the "Site"), the patient-facing features of the Withings mobile applications made available to you in connection with our clinical services (the "Apps"), and/or through our general business operations, excluding information about our employees and information collected through our medical and healthcare services ("Operations"). When we refer to the Website, Apps, and Operations together, we will call them the "Services."
Please note that this Privacy Policy describes our information practices with respect to your use of the Services. Withings Medical Group PA is an independent entity; this Privacy Policy does not apply to any other data gathered or used by similarly named entities, including Withings, Inc. or Withings SAS, or through websites, consumer products or applications not controlled or operated by Withings Medical Group. Your use of Withings consumer products and services, including the Withings App in its consumer capacity, is governed by the Withings, Inc. Privacy Policy available on the Withings consumer website.
This Privacy Policy is in addition to, and does not replace, our Notice of Privacy Practices, which explains how we use and disclose our patients' protected health information ("PHI") under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). To the extent of a conflict between the terms of this Privacy Policy and the Notice of Privacy Practices with respect to PHI, the Notice of Privacy Practices will control how we use and disclose your PHI.
Please review this Privacy Policy, which is incorporated into and made part of our Terms of Use. By accessing or using the Services, you consent to our collection, use and disclosure of your information in accordance with this Privacy Policy and Terms of Use. If you have any questions about our Privacy Policy or our Terms of Use, please contact us at privacy@withings.com. If you do not agree to our Privacy Policy or Terms of Use, you may not use the Services.
Withings Medical Group reserves the right to change this Privacy Policy from time to time. Where required by law, we will provide notice of material changes. If you use the Services after we post changes to this Privacy Policy, you accept and agree to be bound by the changed policy. The date this Privacy Policy was last updated is identified at the top of this page.
Please use the sections below to learn more:
- What Information Does Withings Medical Group Collect?
- How Does Withings Medical Group Use Information?
- How Does Withings Medical Group Share Information?
- Tracking Technologies and Health Information
- Security
- State-Specific Disclosures
- Links to Third-Party Websites
- Your Choices
- Contact Us
What Information Does Withings Medical Group Collect?
Information You Provide to Us
We collect information you provide directly to us. For example, we collect information when you: create or register an account or profile, complete intake or enrollment forms, use the interactive areas and features of the Services, communicate with your care team through the Services, participate in a survey, pay a bill, request customer or technical support, or otherwise communicate with us.
The types of information we may collect from you include:
- Account Information, such as your name, email address, password, postal address, phone number, date of birth, and any other information you choose to provide.
- Transaction and Insurance Information, such as your health insurance information and limited payment information, such as payment method and payment card information; however, we do not collect or store full payment card numbers, and all payment transactions are processed by our third-party payment processor.
- Information About Others, such as the names and contact information of your healthcare providers, your emergency contacts, your caregivers or proxies, and any dependents under your care.
- Health Information, such as your past and present medical conditions, medications, treatment history, symptoms you report, and physiological measurements you submit through the Services in connection with your care, including in connection with our remote patient monitoring ("RPM") and related clinical programs. Our use and disclosure of health information that constitutes PHI is governed by our Notice of Privacy Practices.
- Other Information You Choose to Provide, such as when you participate in a survey, assessment, or interactive area of the Services, or when you request technical or customer support.
Information We Collect Automatically When You Use the Services
When you access or use the Services, the types of information we may automatically collect about you include:
- Log Information: When you visit the Services, our servers automatically record certain log file information, such as your Internet Protocol ("IP") address, operating system, browser type and language, referring URLs, access times, pages viewed, links clicked, and other information about your activities on the Services.
- Mobile Device Information: We collect information about the mobile device you use to access or use the Services, including the hardware model, operating system and version, unique device identifiers, mobile network information, and information about your use of the Apps. With your consent, we may also collect information about the precise location of your device and access and collect information from certain native applications on your device (such as your device's camera, photo album, microphone, and storage applications) to facilitate your use of certain features of the Services. For more information about how you can control the collection of location information and our access to other applications on your device, please see "Your Choices" below.
- Information Collected by Cookies and Other Tracking Technologies: We and our service providers use various tracking technologies, including cookies and web beacons, to collect information about you when you interact with our Services. Cookies are small data files stored on your hard drive or in device memory that help us improve the Services and your experience, see which areas and features of the Services are popular, and count visits. Web beacons are electronic images that may be used in the Services or in emails and help deliver cookies, count visits, and understand usage. For more information about cookies, and how to disable them, please see "Your Choices" below and our separate Cookies Policy.
- Analytics Services Provided by Others: We may allow service providers to provide analytics services on our behalf. These entities may use cookies, web beacons, and other technologies to collect information about your use of the Services, including your IP address, web browser, pages viewed, time spent on pages, links clicked, and conversion information. We use this information to analyze and track data, determine the popularity of certain content, and better understand the use of the Services. Our use of these technologies is subject to the limitations described in "Tracking Technologies and Health Information" below.
Information Collected from Other Sources
We may also obtain information about you from other sources. For example:
- Connected Withings devices and the Withings App. With your authorization, physiological data generated by Withings devices associated with your account (such as weight, blood pressure, heart rate, and sleep data) may be transmitted to us in connection with our RPM and related clinical programs.
- Your healthcare providers and health plans. We may receive information about you from your other healthcare providers, your health plan, or their business associates in connection with your care, treatment coordination, and payment.
- Health information exchanges and registries. Where permitted by law, we may receive information about you from health information exchanges, state registries, and similar sources.
Once we combine information from other sources with information collected pursuant to this Privacy Policy, we apply this Privacy Policy to the combined information as long as it is combined, except that PHI remains governed by our Notice of Privacy Practices.
How Does Withings Medical Group Use Information?
Withings Medical Group uses information about you for various purposes, including to:
- Provide, maintain and improve our Services and provide you with relevant information;
- Support the delivery and coordination of our clinical services, including RPM and related programs, in accordance with our Notice of Privacy Practices;
- Facilitate scheduling, enrollment, intake, billing, and payment;
- Send you technical notices, updates, security alerts, and support and administrative messages;
- Respond to your comments, questions and requests and provide customer service;
- Communicate with you about our services and, where permitted by law, provide news and information we think will be of interest to you;
- Monitor and analyze trends, usage and activities in connection with our Services;
- Detect, investigate and prevent fraudulent transactions and other illegal activities and protect the rights and property of Withings Medical Group and others;
- Maintain appropriate records for internal administrative, quality, and compliance purposes;
- Comply with applicable legal and regulatory obligations; and
- Carry out any other purpose described to you at the time the information was collected.
Please note, our use of your PHI is explained in our Notice of Privacy Practices.
How Does Withings Medical Group Share Information?
We may share information about you as follows, or as otherwise described in this Privacy Policy:
- With vendors, consultants and other service providers who need access to such information to carry out work or perform services on our behalf, subject to appropriate confidentiality obligations and, where PHI is involved, business associate agreements as required by HIPAA;
- With Withings MSO LLC and its affiliates, which provide administrative, technology, and support services to Withings Medical Group under applicable services agreements and, where PHI is involved, business associate agreements;
- In response to requests from local, state or federal law enforcement officials, or any judicial, administrative or similar proceeding or order, such as a subpoena, if we believe disclosure is in accordance with, or required by, applicable law;
- If we believe your actions are inconsistent with our user agreements or policies, or to protect the rights, property and safety of Withings Medical Group and others;
- To investigate suspected fraud, harassment, physical threats, or other violations of any law, rule or regulation, the Services' rules or policies, or the rights of third parties, or to investigate any suspected conduct which we deem improper;
- In connection with, or during negotiations of, any merger, sale of company assets, financing or acquisition of all or a portion of our business by another company, subject to applicable law governing patient records;
- Between and among Withings Medical Group and our affiliated professional entities;
- With your consent or at your direction, including when you direct us to share information with third-party applications or other healthcare providers;
- To comply with transparency or other public reporting obligations; and
- As otherwise permitted or required by law.
We may also share aggregated or de-identified information that cannot reasonably be used to identify you. De-identification of PHI is performed in accordance with the HIPAA de-identification standards.
We are based in the United States and the information we collect is stored in the United States and, where applicable, within the European Economic Area. By accessing or using the Services or otherwise providing information to us, you consent to the processing of information within the United States and/or the European Economic Area.
For more information about how we share your PHI, please review our Notice of Privacy Practices.
Tracking Technologies and Health Information
We recognize that regulators, including the U.S. Department of Health and Human Services Office for Civil Rights and the Federal Trade Commission, have issued guidance regarding the use of online tracking technologies by healthcare organizations. We do not use cookies, pixels, or similar tracking technologies on authenticated, patient-facing portions of the Services in a manner that discloses PHI to third parties for marketing or advertising purposes. Where a third-party technology vendor may have access to PHI in the course of providing services to us, we require that vendor to enter into a business associate agreement or we configure the technology so that PHI is not disclosed.
Children's Privacy
Withings Medical Group is committed to protecting the privacy of children. The Website and Apps are not intended or designed to attract children, and we do not knowingly collect personal information through the Services from any person known by Withings Medical Group to be a child under the age of 18. Health information we maintain about minor patients in connection with their care is governed by our Notice of Privacy Practices and applicable law.
Security
We seek to use reasonable physical, technical, and administrative measures designed to protect personal information within our organization, consistent with the HIPAA Security Rule where applicable. If you have reason to believe that your interaction with us is no longer secure (for example, if you feel that the security of your account has been compromised), please immediately notify us in accordance with the "Contact Us" section below.
State-Specific Disclosures
Information for California Residents
The California Consumer Privacy Act, as amended by the California Privacy Rights Act (together, the "CCPA"), does not apply to PHI that we collect as a HIPAA covered entity or to medical information governed by the California Confidentiality of Medical Information Act ("CMIA"). Most of the information we collect through the Services falls within these exemptions.
To the extent we collect personal information about California residents that is subject to the CCPA, the following applies:
In the preceding 12 months, we may have collected the following categories of personal information: identifiers (such as name, postal address, IP address, and email address); categories of personal information described in Cal. Civ. Code Section 1798.80(e); internet or other electronic network activity information; geolocation data; and inferences drawn from the foregoing. We collect this information for the purposes described in this Privacy Policy and disclose it to service providers for the business purposes described in this Privacy Policy under written contracts that satisfy the CCPA’s requirements. We do not sell personal information, and we do not share personal information for cross-context behavioral advertising.
Subject to applicable exemptions, California residents have the right to know, correct, and delete personal information we hold about them, the right to limit the use of sensitive personal information, and the right not to be discriminated or retaliated against for exercising these rights. You may exercise these rights by emailing us at privacy@withings.com. We may request information from you to verify your identity before processing your request. You may designate an authorized agent to submit a request on your behalf. We will respond to verifiable requests within the timeframes required by the CCPA.
Consumer Health Data Laws (Washington, Nevada, and Similar States)
Certain states, including Washington and Nevada, have enacted consumer health data privacy laws. These laws generally do not apply to PHI governed by HIPAA or to information maintained by covered entities in the same manner as PHI. To the extent we process consumer health data that is not exempt under these laws, we will provide any required notices and honor applicable rights. Residents of these states may contact us at privacy@withings.com with questions.
Other State Privacy Laws
Residents of other states with comprehensive privacy laws may have rights with respect to personal information that is not exempt under those laws, which generally exempt PHI and information maintained by HIPAA covered entities. To submit a request or ask a question regarding your rights under applicable state law, please contact us at privacy@withings.com.
Links to Third-Party Websites
Our Services may reference or provide links to third-party websites, applications, or services, and other websites may reference or link to our Services. Because these websites and services are not controlled by Withings Medical Group, we are not responsible for them. We encourage you to be aware when you leave our Services and to review the privacy policies posted on each website and application that collects personally identifiable information. Withings Medical Group does not control, endorse, screen or approve, and is not responsible for, the privacy policies or information practices of third parties or their websites or mobile applications. Visiting these other websites is at your own risk.
Your Choices
Account Information
You may update, correct or modify information about you at any time by logging into your online account or by contacting us at privacy@withings.com. If you wish to deactivate your account, please contact us, but note that we may continue to store information about you as required by law or for legitimate business purposes. Please note that medical records are subject to legal and regulatory retention requirements and cannot be deleted upon request; rights with respect to your medical record, including access and amendment, are described in our Notice of Privacy Practices.
Communications
You may unsubscribe from receiving marketing or other commercial emails from us by following the instructions included in the email or by adjusting your communication preferences in your account settings. However, even if you opt out of receiving such communications, we retain the right to send you non-marketing communications, such as important information about your care, transactional messages, security alerts, and changes to our terms and policies.
Location Information
With your consent, we may collect information about the location of your device when you use the Apps. You may stop the collection of this information at any time by changing the settings on your mobile device, but note that some features of the Apps may no longer function if you do so.
Native Applications on Your Mobile Device
Some features of the Apps may require access to certain native applications on your mobile device, such as the camera, photo storage, microphone, and storage applications (for example, to take and upload photos or documents for your care team). If you decide to use these features, your mobile device will ask for your consent prior to accessing the applications and collecting information. You can revoke your consent at any time by changing the settings on your device. Please be aware that photos, videos, audio, and files you submit through the Apps in connection with your care may be stored in your medical record.
Cookies and Your Ad Choices
Most web browsers are set to accept cookies by default. If you prefer, you can usually choose to set your browser to remove or reject browser cookies. Please note that if you choose to remove or reject cookies, this could affect the availability and functionality of the Services. We honor opt-out preference signals, such as the Global Privacy Control, where required by applicable law. Please see our separate Cookies Policy to learn about how we use cookies and your choices in relation to the use of cookies.
Push Notifications
With your consent, we may send push notifications or alerts to your mobile device. You can deactivate these messages at any time by changing the notification settings on your mobile device or within the Apps.
Contact Us
If you have any questions about this Privacy Policy or concerns about the way Withings Medical Group processes your information, or require assistance in managing your privacy choices, please contact us at:
Email: privacy@withings.com
Postal Address:
Withings Medical Group PA
225 Franklin Street, Suite 1250
Boston, MA 02110
Attn: Privacy Office
For questions regarding your PHI or to exercise your rights under HIPAA, please refer to the contact information in our Notice of Privacy Practices.