Last Updated: November 13, 2017
ePerkz, LLC (“ePerkz,” “we,” or “us”) understands that privacy is tremendously important to the online visitors to our website, www.ePerkz.com (the “Site”), and the insurance carriers, insurance brokers, administrators, businesses and users who have subscribed to or otherwise are authorized users of the web-based employee benefits enrollment software solution we make available via the Site (the “Services”). Users of our Services may be an insurance carrier, broker or administrator that subscribes to our services for its client Groups (each, an “Agency”), such Groups, and the employees or other authorized users of such Agencies or Groups. Each separate entity (or for legally affiliated entities that are considered a single “employer” for employee benefits purposes and for which a single account is requested and subscribed, such group of affiliated entities) for which a Services account is created is considered a “Group” for purposes of this Policy. As we describe below, Agencies, Groups and their users decide which data is integrated with the Services.
A Special Note for International Users of the Services: Our computer systems are currently based in the United States, so your personally identifiable information will be processed by us in the United States, where data protection and privacy regulations may be different than other parts of the world, such as the European Union. If you visit the Site or use the Services as a visitor from outside the United States, you are agreeing to the terms of this Policy and our Terms, and you will have consented to the transfer and processing of all such information in the United States, which may not offer an equivalent level of protection of that in the European Union or certain other countries.
This Policy provides the following information:
How We Collect and Use Information
How We Share Information
How We Protect Your Information
Choices About Your Information
Compliance with HIPAA and the HITECH Act
Links to Other Websites and Services
How to Contact Us
Changes to This Policy
Transparency. We will always be transparent with the methods we use to collect data and describe exactly how we will use it to the benefit and strict direction of our Agencies, Groups and their users.
1. HOW WE COLLECT AND USE INFORMATION
We collect the following types of information:
Information about Agencies, Groups and Their Users: We ask for certain information when an Agency or Group user registers with ePerkz, or if the user corresponds with us online, which may include a name, Agency name, Group name, email address and/or account name and password, phone number, and/or message content. We may also retain information provided by a user if the user sends us a message, posts content to one of our websites or through our Services, or responds to emails or surveys. Once an Agency, Group or their users begin using the Services, we will keep records of activities related to the Services. We use this information to operate, maintain, and provide the features and functionality of the Services, to monitor our service offerings and functionality, and to communicate with our Agencies, Groups and their users.
We may also use general information we collect from Agencies, Groups and their users to periodically send information that we think our Agencies or Groups might find of interest from ePerkz or its affiliates such as new services, special offers, or other important service changes. You may choose not to receive these communications by contacting us at email@example.com or by following the opt-out procedure outlined in such communications. Please note that opting out of receiving these communications will not remove your personal information from our files, and we will still contact you as necessary to provide the Services at your request. We do not rent or sell user contact information to third parties for marketing purposes. We do not use Personal Data for marketing purposes, and we do not send marketing communications to non-administrative users.
Personal Data: ePerkz may have access to personally identifiable information about the employee end users (“Employees”) of Groups participating in the Services (“Personal Data”) in the course of providing the Services. We consider Personal Data to be confidential and do not use such data for any purpose other than to provide the Services on behalf of subscribing Agencies and Groups as agreed in Terms or the agency license agreement by and between us and the Agency (“License Agreement”), if applicable. We may receive Personal Data from an Agency, Group or Employee. In all cases, we have access to Personal Data only as requested by the Client and only for the purposes of performing Services on the Agency’s or Group’s behalf.
Information Collected through Technology: We automatically collect certain types of usage information when visitors view the Site or use the Services. We may send one or more cookies — a small text file containing a string of alphanumeric characters — to your computer that uniquely identifies your browser and lets ePerkz help you log in faster and enhance your navigation through the Site and Services. A cookie may also convey information to us about how you use the Site or the Services (e.g., the pages you view, the links you click and other actions you take on the Site or the Services), and allow us to track your usage of the Site or Services over time. We may collect log file information from your browser or mobile device each time you access the Site or Services. Log file information may include anonymous information such as your web request, Internet Protocol (“IP”) address, browser type, information about your mobile device, number of clicks and how you interact with links on the Site or Services, pages viewed, and other such information. We may employ clear gifs (also known as web beacons), which are used to anonymously track the online usage patterns of our users. In addition, we may also use clear gifs in HTML-based emails sent to our Agencies or Groups to track which emails are opened and which links are clicked by recipients. The information allows for more accurate reporting and improvement of the Site and Services. We may also collect analytics data, or use third-party analytics tools, to help us measure traffic and usage trends for the Site and Services. We do not allow third party advertising networks to collect information about the users of our Site or Services.
We use or may use the data collected through cookies, log files, device identifiers, and clear gifs information to: (a) remember information so that a user will not have to re-enter it during subsequent visits; (b) provide custom, personalized content and information; (c) to provide and monitor the effectiveness of our Services; (d) monitor aggregate metrics such as total number of visitors, traffic, and usage on our website and our Services; (e) diagnose or fix technology problems; and (f) help users efficiently access information after signing in.
Other non-public information or data received from Agencies that constitutes “confidential information” under the terms of the Agency’s applicable License Agreement will be subject to the confidentiality terms outlined in that agreement.
2. HOW WE SHARE INFORMATION
ePerkz only shares personal information in a few limited circumstances, described below. We do not rent or sell information for marketing purposes.
We may share information (including Personal Data) with certain third-party providers whose software or services interface with or otherwise may receive information from, or provide information to, the Services, but only as provisioned through the user interface, or as directed or approved by our Agencies or Groups. We do not release Personal Data to any third party without the prior written consent of the Group or the affected Employee.
We may share information with those that provide us with technology services (e.g. web hosting and analytics services), but strictly for the purpose of carrying out their work for us.
We may be required to share information with law enforcement or other third parties when compelled to do so by court order or other legal process, to comply with statutes or regulations, to enforce our Terms or License Agreements (if applicable), or if we believe in good faith that the disclosure is necessary to protect the rights, property or personal safety of our users.
If we sell, divest or transfer the business or a portion of our business, we may transfer information, provided that the new provider has agreed to data privacy standards no less stringent than our own. We may also transfer personal information – under the same conditions – in the course of mergers, acquisitions, bankruptcies, dissolutions, reorganizations, liquidations, similar transactions or proceedings involving all or a portion of our business.
By submitting or posting information, materials or content via the Site (but not the Services), you agree that we can further distribute such content as described in the Terms under “Submissions.” You agree that you have no expectation of or right to privacy with respect to such Submissions, except for any limits on our ability to use or distribute such content as set forth in the Terms.
3. HOW WE PROTECT YOUR INFORMATION
We store our data in the United States and we take strong measures to keep data safe and secure.
Storage and Processing: Any information collected through our Site or Services is stored and processed in the United States. If you use our Site or Services outside of the United States, you consent to have your data transferred to the United States.
Keeping Your Information Safe: ePerkz maintains strict administrative, technical and physical procedures to protect information stored in our servers, which are located in the United States. While no service provider can guarantee absolute security when communicating over the internet or wireless networks, we are committed to taking steps to help secure any personal information that may be in our possession. Access to information is limited (through user/password credentials and two factor authentication) to those employees who require it to perform their job functions. We use industry-standard Secure Socket Layer (SSL) encryption technology to safeguard the account registration process and sign-up information. We secure our system against external hacking and attacks with firewalls and restricted access protocols. We are not responsible for the security of any data or information that is not stored or maintained on our servers or systems.
You are solely responsible for maintaining the secrecy of any password used to log in to the Services, if any, and you should always be mindful and responsible whenever disclosing information online that the information is potentially accessible to the public, and consequently, could be collected and used by others without your consent.
4. CHOICES ABOUT YOUR INFORMATION
Marketing Communications: Site visitors can opt-out of receiving promotional email from us by clicking on the “unsubscribe” feature at the bottom of each email. You cannot unsubscribe from Service-related messaging. Agencies and Groups can opt-out of receiving promotional email from us by contacting us at support@ePerkz.com or by following the opt-out procedure outlined in such communications. You cannot unsubscribe from Services-related messaging.
Account Information and Settings: Agencies and Groups may update account information and modify Services by signing into the administrator account. If you have any questions about reviewing or modifying account information, contact us directly at support@ePerkz.com.
Access to Personal Data: Personal Data is provided and controlled by our Agencies and Groups. Agencies and Groups have access to their Personal Data via the Services. Different levels of access in our Services require different permissions, and we look to the Group or its Agency to designate such permissions. System administrators assigned by a Group or its Agency will have the ability (independently of ePerkz) to enable or disable access by any given user to various portions of the Services, and if a Group or Agency desires to have us disable access by any previously-authorized Group or Agency user, an authorized official of the Grourp or Agency must notify us in writing, and we will take reasonably prompt measures to disable access for that user as requested. If you have any questions about reviewing, modifying, or deleting personal information of an Employee, please contact your Group directly.
Deleting or Disabling Cookies: You may be able to disallow cookies to be set on your browser. Please look for instructions on how to delete or disable cookies and other tracking/recording tools on your browser’s technical settings. You may not be able to delete or disable cookies on certain mobile devices and/or certain browsers. For more information on cookies, visit www.allaboutcookies.org. Remember, disabling cookies may disable some of the features available on the Services.
How Long We Keep User Content: Following termination or deactivation of a Group account, ePerkz may retain profile information and content for a commercially reasonable time for backup, archival, or audit purposes, but any and all Personal Data associated with the Group will be deleted as described in our Terms or License Agreement, as applicable. We may maintain anonymized or aggregated data, including usage data, indefinitely for analytics purposes. If you have any questions about data retention or deletion, please contact.support@ePerkz.com.
5. COMPLIANCE WITH HIPAA AND THE HITECH ACT
Personal Data may include “personal health information” or “protected health information” (“PHI”), as that term is defined in 45 C.F.R. § 164.501. ePerkz will protect and provide for the security of such and to comply with the business associate requirements of HIPAA and the HITECH Act in accordance with the terms and conditions set forth in this Section 5, which shall be considered the “Business Associate Agreement” or “BAA” for purposes of HIPAA. Further, pursuant to its License Agreement, ePerkz also requires each Agency to comply with the business associate requirements of HIPAA and the HITECH ACT as described herein. For purposes of these provisions, each Group is considered the “covered entity”, and each of ePerkz and an Agency is considered a “Business Associate” (provided, however, that nothing in this Section 5 shall render ePerkz liable or responsible for Agency’s compliance, or lack thereof, with the terms of this Section 5).
Definitions. All capitalized terms not otherwise defined in this Section 5 shall have the meanings set forth in the HIPAA Privacy and Security Rules, 45 C.F.R. § 164.101 et seq.
Breach. The term “Breach” means the acquisition, access, use, or disclosure of unsecured PHI in a manner not permitted under the HIPAA Privacy or Security Rules that compromises the security or privacy of the PHI, as defined in 45 C.F.R. §164.402. To the extent the HIPAA Privacy and Security Rules changes the meaning of such term, this BAA shall be modified automatically to correspond to the meaning given in such rule.
HHS. The term “HHS” means the U.S. Department of Health and Human Services.
Secretary. The term “Secretary” means Secretary of the U.S. Department of Health and Human Services.
Technical Safeguards. The term “Technical Safeguards” means the technology and the policy and procedures for its use that protect electronic PHI and control access to it.
Unsecured Protected Health Information or PHI. The term “Unsecured Protected Health Information or “PHI” means protected health information that is not rendered unusable, unreadable or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary in the guidance issued under section 13402(h)(2) of Public Law 111-5 on the HHS Web site.
Use and Disclosure Obligations. Business Associate agrees to use and disclose PHI that is provided by the Group to Business Associate, or that Business Associate creates or receives on behalf of the Group pursuant to the Services Agreement, only to the extent necessary to perform the Services. Business Associate agrees not to use or further disclose such PHI other than as permitted or required by this BAA or as required by law. Nothing in this BAA shall be construed to authorize Business Associate to use or disclose any such PHI in a manner that would violate the HIPAA Privacy and Security Rules, if such use or disclosure were made by a HIPAA covered entity. Business Associate shall not directly or indirectly receive remuneration in exchange for disclosing PHI received from or on behalf of Group except as permitted by HITECH Act § 13405 and any implementing regulations that may be promulgated or revised from time to time.
Exceptions. Notwithstanding the foregoing, Business Associate may use PHI for its own proper management and administration and to fulfill any present or future legal responsibilities of Business Associate that are permissible under applicable state and federal privacy laws, and it may disclose such PHI if (i) the disclosure is required by law as provided for in 45 C.F.R. § 164.501; or (ii) Business Associate obtains, in writing, reasonable assurances as required by the HIPAA Privacy and Security Rules from the person to whom the PHI is disclosed that such PHI will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person agrees to notify Business Associate of any instances of which it is aware in which the confidentiality of the PHI has been Breached.
Limited Data Set. Business Associate agrees to limit, to the extent practicable and except as permitted by 45 C.F.R. § 164.502(b)(2) its uses, disclosures and requests of PHI under this BAA to a Limited Data Set (as defined in 45 C.F.R. § 164.514(c)(2)) or, if needed by Business Associate, to the minimum necessary PHI to accomplish the intended purpose of such use, disclosure or request. This provision will cease to apply on the effective date of guidance issued by the Secretary in accordance with the HITECH Act.
Safeguards. Business Associate will use appropriate safeguards to prevent the use or disclosure of PHI other than as provided for in this BAA. Business Associate shall develop and implement written security policies and procedures as required under the HIPAA Privacy and Security Rules with respect to PHI. Business Associate shall secure all PHI by technology that renders the PHI unusable, unreadable or indecipherable to unauthorized individuals. Such technology shall comply with the Breach safe harbors set forth in HHS Guidance on Unsecured PHI.
Business Associate will implement physical, administrative, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI that it creates, receives, maintains, or transmits on behalf of the Group as required under the HIPAA Privacy and Security Rules.
Business Associate will ensure that any agent to whom Business Associate provides PHI agrees to implement reasonable and appropriate safeguards to protect the information as required under the HIPAA Privacy and Security Rules.
Business Associate will report to Group any attempted or successful unauthorized access, use, disclosure, modification, or destruction of PHI or interference with system operations in its information systems of which Business Associate becomes aware as required under the HIPAA Privacy and Security Rules.
Security and Reporting Obligations.
Business Associate will report to the Group any use or disclosure of PHI of which Business Associate becomes aware that is not permitted by this BAA. Additionally, Business Associate agrees that it shall notify the Group when it discovers a Breach of Unsecured PHI. Business Associate agrees to implement a reasonable process for detecting Breaches, investigating Breach reports and mitigating potential damage to affected individuals. Business Associate shall implement a security breach notification plan. Business Associate shall provide Group with notification of a Breach of Unsecured PHI without unreasonable delay, but in no case later than sixty (60) days following the day Breach is discovered or by exercise of reasonable diligence would have been discovered to Business Associate. Business Associate shall be deemed to have knowledge of a Breach if the Breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the Breach, who is an employee, officer or other agent of Business Associate. Agency shall be determined in accordance with the federal common law of agency.
Business Associate shall provide to Group any available information that the Group is required to include in notification to the Individual(s) affected by the Breach at the time of the initial notification or promptly thereafter as information becomes available. Notice to Group shall include the following: (i) identification of the individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired or disclosed during the Breach; (ii) a brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known; (iii) a description of the types of Unsecured PHI that were involved in the Breach (such as whether the full name, social security number, date of birth, home address, account number, diagnosis, or other types of information were involved); (iv) any steps individuals affected by the Breach should take to protect themselves from potential harm that may result from the Breach; (v) a brief description of what Business Associate is doing to investigate the Breach, to mitigate the harm to the individuals, and to protect against further Breaches; and (vi) contact procedures for individuals affected by the Breach to ask questions or learn additional information, including a toll free telephone number, an email address, Web site, or postal address. Business Associate agrees to provide such information even if it becomes available after notifications have been sent to affected individuals or after the 60 day period set forth above.
Business Associate will develop and document policies and procedures in compliance with the HIPAA Privacy and Security Rules, train its workforce members on the policies and procedures as is necessary and appropriate for the members of the workforce to carry out their functions, have sanctions for failure to comply with these policies and procedures and permit individuals to file complaints regarding these policies and procedures or a failure to comply with them.
Agents and Subcontractors. Business Associate will obtain and maintain a written agreement with each agent or subcontractor that has or will have access to the PHI, which is received from, or created or received by Business Associate in the course of performing the Services for Group, pursuant to which agreement such agent or subcontractor agrees to be bound by the same restrictions, terms and conditions that apply to Business Associate pursuant to this BAA with respect to such PHI.
Individual Rights. Business Associate will make available to the Group the PHI necessary for the Group to give individuals their rights of access, amendment, and accounting in accordance with applicable federal regulations. Business Associate also will incorporate any amendments made or agreed to by the Group with respect to PHI in the possession of Business Associate within thirty (30) days of the request by the Group; provided, however, that the provision of any such PHI or amendment of such PHI that requires retrieval or changes to any offline, archived data will be subject to a data retrieval or change (as applicable) fee based on Business Associate’s then-current fee schedule.
Access to Records by the Secretary of HHS. Business Associate will make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of HHS as is reasonably necessary for the purpose of the Secretary determining the Group’s compliance with applicable law.
Accounting of Disclosures of PHI. Business Associate agrees to document disclosures of PHI and information related to disclosures as would be required for Group to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR § 164.528. Business Associate agrees to provide to Group a written response within thirty days of the request information collected in accordance with this section, to permit Group to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. Business Associate agrees to provide to the individual information collected pursuant to this BAA as required by law.
Return or Destruction of Protected Health Information. Upon termination of the Services Agreement and expiration of any post-termination access period requested by the Group, Business Associate will remove, within a reasonable period of time, all PHI from the Services and deactivate the Services account associated with Group’s subscription. Business Associate may, however, retain copies of any PHI included in the Personal Data in its offline data archives for backup, archive or legal recordkeeping purposes, and may subsequently destroy or erase such retained archive data, all in accordance with its data retention policies. Business Associate will extend the protections of this BAA to the PHI and limit further uses and disclosures to those purposes that make the return or destruction of the PHI unfeasible
Required Documentation. Business Associate agrees that if it knows of an impermissible use or disclosure of Protected Health Information as set forth in the HIPAA Privacy and Security Rules, it will maintain documentation that all required notifications were made, or alternatively, of its risk assessment as set forth in 45 C.F.R. § 164.402 or the application of any exceptions to the definition of Breach to demonstrate that notification was not required. Business Associate agrees that it shall maintain documentation sufficient to meet its burden of proof under 45 C.F.R. § 164.414.
Breach and Opportunity to Cure. The parties recognize that in the event the Group knows of an activity or a practice of Business Associate that constitutes a breach or violation of a material term of Business Associate’s obligation under this BAA, the Group shall notify Business Associate of such breach or violation and shall either (i) provide Business Associate with an opportunity to cure the breach or end the violation and terminate this BAA (including termination of Group’s subscription to the Services) if Business Associate does not cure the breach or end the violation within ten (10) business days; (ii) immediately terminate this BAA (including termination of Group’s subscription to the Services) if cure is not possible; or (iii) if neither termination nor cure are feasible, the Group shall report the violation to the Secretary.
If you have any questions about data privacy compliance practices or procedures, please contact.support@ePerkz.com.
6. CHILDREN’S PRIVACY
The intent of the Children’s Online Privacy Protection Act (“COPPA”) is to give parents control over commercial websites’ and online services’ collection, use and disclosure of information from children under the age of 13. COPPA does not apply to all internet-based services; when Services are used as intended by a Group, such use may involve data relating to children under 13, but the child is not the end user and COPPA does not apply. If you believe that a child under 13 has visited our Site and submitted information via the Site, or that we may have inadvertently collected personal information of a child under 13, in either case without proper parental consents, please contact us at support@ePerkz.com so that we may delete such data as soon as possible.
7. LINKS TO OTHER WEB SITES AND SERVICES
Please remember that this Policy applies to the ePerkz Site and Services only, and not other websites or third party applications that may be linked via our Services, which may have their own privacy policies. You should carefully read the privacy practices of each third party application before agreeing to engage with the application through the Site or Services. We assume no responsibility or liability for the privacy practices of any vendor or operator of third party sites or applications.
8. HOW TO CONTACT US
If you have any questions about this Policy or the Services, please contact us at support@ePerkz.com.
9. CHANGES TO THIS POLICY
We reserve the right to change this Policy at any time by posting revised Policy on this webpage, and we will notify Agencies and Groups of such posting via the most recent Agency and Group administrator email address on file with us. We encourage you to review this webpage periodically. The changes will be effective immediately upon notice or posting, and we will update the effective date of this Policy upon such posting. Your use or continued use of the Site or Services following the posting or email notification (as applicable) of any changes to the Policy will be deemed to be your acceptance of the changed Policy.