Consumer Health Data Privacy Policy Effective Date: June 30, 2024
Chateau Retirement Communities, LLC has adopted this Consumer Health Data Privacy Policy (the “Policy”) to comply with the Washington My Health My Data Act (the “MHMDA”). This Policy describes how certain information, called “consumer health data,” may be used and disclosed by Chateau and Chateau-managed communities (collectively “Chateau,” “we,” “us”) and how you can exercise your rights with respect to this information. This Policy pertains to consumer health data of Washington residents and individuals whose consumer health data is collected in Washington. This Policy supplements our Privacy Policy, and in the event of a conflict between our Privacy Policy and this Policy, this Policy will prevail as to consumer health data under MHMDA.
CONSUMER HEALTH DATA WE COLLECT
Consumer health data includes personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present or future physical or mental health status. This includes information about your conditions, symptoms, treatments, diseases, surgeries, bodily functions, vital signs, and medication, among others. In our assisted living communities, recording this information may be required under state and federal laws. Consumer health data does not include publicly available information, deidentified data, or information that is already protected under certain federal and state laws, such as Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) or the Uniform Health Care Information Act.
We collect the following categories of personal information, which may constitute consumer health data if not excluded from MHMDA:
| Category | Collected? | Purpose of Collection |
| Individual health conditions, treatment, diseases, or diagnosis; | Yes | *Provide the services you requested *Assist you in the event of an emergency *Verify your eligibility to become a resident * Prepare incident reports |
| Social, psychological, behavioral, and medical interventions; | Yes | *Provide the services you requested *Assist you in the event of an emergency *Verify your eligibility to become a resident * Prepare incident reports |
| Health-related surgeries or procedures; | Yes | *Provide the services you requested *Assist you in the event of an emergency *Verify your eligibility to become a resident * Prepare incident reports |
| Use or purchase of prescribed medication; | Yes | *Provide the services you requested *Assist you in the event of an emergency *Verify your eligibility to become a resident * Prepare incident reports |
| Bodily functions, vital signs, symptoms, or measurements of health information; | Yes | *Provide the services you requested *Assist you in the event of an emergency *Verify your eligibility to become a resident * Prepare incident reports |
| Diagnoses or diagnostic testing, treatment, or medication; | Yes | *Provide the services you requested *Assist you in the event of an emergency *Verify your eligibility to become a resident * Prepare incident reports |
| Gender-affirming care information; | No, unless included in your third-party medical records | *Provide the services you requested *Assist you in the event of an emergency |
| Reproductive or sexual health information; | No, unless included in your third-party medical records | *Provide the services you requested *Assist you in the event of an emergency |
| Biometric data; | No | N/A |
| Genetic data; | No | N/A |
| Precise location information that could reasonably indicate a consumer’s attempt to acquire or receive health services or supplies; | Yes | *Provide the services you requested (incl. safety pendant/alert support) *Assist you in the event of an emergency |
| Data that identifies a consumer seeking health care services; | Yes | *Provide the services you requested *Provide information to you regarding our services *Provide customer service *Conduct internal audits, investigations, and data analysis |
| Other information that may be used to infer or derive data related to the above or other health information. | Yes | *Provide the services you requested *Provide information to you regarding our services *Provide customer service *Conduct internal audits, investigations, and data analysis |
We may collect your consumer health data without your explicit consent to the extent necessary to provide a product or service that you have requested from us.
SOURCES OF CONSUMER HEALTH DATA
We obtain the categories of consumer health data listed above from the following categories of sources:
- Directly from you and your representatives. For example, when you share your health history with us or when we collect information about you during resident assessments and other health checkups.
- Indirectly from you. For example, when we obtain health-related information through automated measures, such as automated body temperature checks.
- Automatically as you navigate through our website. Information collected automatically may include IP addresses, device identifiers, and information collected through cookies, and other tracking technologies.
- From third parties, such as referral agencies, home health agencies, other long-term care providers, and HIPAA-regulated health care providers that may share information about your health with us (e.g., your physician sharing your medical history with us after obtaining your consent).
- Government entities, such as the Veterans Health Administration, the law enforcement agencies (e.g., referrals from the fire department and the police pension programs).
WHY WE COLLECT AND USE CONSUMER HEALTH DATA
We may use the consumer health data we collect in one or more of the following ways:
- To provide a product or service that you have requested form us.
- To further the purposes for which you provided consent in connection with collecting or sharing your consumer health data.
- To provide you with customer service and to respond to your inquiries, including investigating and addressing any health-related concerns you may need our assistance with.
- To create, maintain, customize, and secure your profile information.
- To develop and administer life enrichment and health wellness programs.
- To provide you with promotional materials, such as information about the services, programs, or events that may be relevant to you.
- To prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any activity that is illegal under Washington state law or federal law; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action that is illegal under Washington state law or federal law.
- To protect the confidentiality, integrity and accessibility of your consumer health data.
- To perform data analytics and quality control.
- To perform research, product development, testing, and analysis, including to support resident safety programs, improve our website and services, and prepare incident reports.
- To conduct internal investigations and audits, investigate grievances and suspected violations of our internal policies.
- To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations.
- To comply with any applicable laws, regulations and statutory requirements (including any internal policy based on or reflecting legal or regulatory guidance, codes, or opinions).
- To exercise and defend our legal rights.
- To protect your safety or the safety of others.
- To evaluate or conduct a merger, acquisition, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which information held by us is among the assets transferred.
SHARING CONSUMER HEALTH DATA
We do not sell your consumer health data.
We may share all categories of the consumer health data listed above with select trusted parties in order to provide you with the products and services you requested from us, for any purpose for which you provided consent, or to comply with the law. We may share your consumer health data with the following categories of third parties:
- Our affiliates, if sharing between Chateau and Chateau-managed communities is needed for data processing or operational purposes; for example, Chateau may share data when making a referral to related rehabilitation service provider or utilize common data systems with its affiliates, subsidiaries or related companies;
- Healthcare providers, for treatment purposes;
- Individuals, representatives and family members, as directed by you and your interactions with us;
- Other third parties, such as referral agencies, home health agencies, other long-term care providers, preferred pharmacy providers, state surveyors, Washington State Long Term Care Ombudsman Representatives, mental health agencies, and other parties involved in providing care to the Community’s residents;
- Professional services providers (such as IT service providers, analytic service providers, advertising partners) where enabling access to data helps us provide our services and operate our business;
- Government, regulatory, and law enforcement agencies;
- Parties to litigation.
Disclosures of the consumer health data to the vendors we contract with to help us provide you with products and services do not constitute sharing, as that term is defined in MHMDA.
YOUR RIGHTS
Subject to limited exceptions, the MHMDA provides you with the following rights regarding your consumer health data:
Right to Confirm and Access. You have the right to confirm whether we are collecting, sharing or selling your consumer health data and to access such data.
Right to Withdraw Consent. You have the right to withdraw consent for consumer health data collection and sharing.
Right to Request Deletion. You have the right to have your consumer health data deleted from our records.
We will not discriminate against you for exercising any of the above rights. We will not attempt to re-identify any data that was previously deidentified.
Please note that these specific rights will not apply to any data that is exempt from MHMDA – for example, the MHMDA does not apply to publicly available information or information that is protected by certain other privacy laws, such as HIPAA or state laws governing assisted living facilities.
EXERCISING YOUR RIGHTS
Making a Request. To exercise your rights under MHMDA, please submit a request by emailing us at Privacy@ChateauLLC.com or contacting the Executive Director of the relevant Chateau community in person or by phone. We will provide you with a form to fill out in order to exercise your MHMDA rights. You will need to provide sufficient information to verify your identity and specify the right you wish to exercise. Only you, or a person that you authorize to act on your behalf, may submit a request to exercise your MHMDA rights.
Responding to Requests. We will respond to your request within 45 days of its receipt. If we require more time (up to a total of ninety (90) days), we will inform you of the reason and the extension period in writing. If we are unable to authenticate your request to exercise consumer rights using commercially reasonable efforts, we are not required to comply and we may request additional information from you.
You are entitled to receive information in response to your request free of charge, up to twice per year. In case of requests that are manifestly unfounded, excessive, or repetitive, we may charge a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request.
Authorized Agent. You may authorize an agent to exercise your rights on your behalf. When a request is submitted by an authorized agent, we will require the requestor to: (i) provide the authorized agent’s written permission to do so; and (ii) verify their own identity directly with us. If we are unable to verify the identity of the requestor or if we do not receive proof from the authorized agent that the requestor authorized the agent to act on the requestor’s behalf, we will refuse to take action on the request.
Appeals Process. If you wish to appeal our refusal to take action on a your request, please email us at Privacy@ChateauLLC.com. Within 45 days of receipt of the appeal, we will inform you in writing of any action taken or not taken in response to the appeal, along with a written explanation of the reasons for our decisions. If the appeal is denied, we will provide you with an online mechanism or another method through which you may contact the Attorney General to submit a complaint.
CHANGES TO THIS POLICY
We reserve the right to amend, modify and delete sections of this Policy at our discretion and at any time. When we make changes to this Policy, we will post the updated Policy on the website and update the effective date accordingly. You are responsible for reviewing this Policy periodically to make sure you are aware of any changes.
CONTACT INFORMATION
If you have any questions or concerns regarding the policies and practices described in this Policy, please contact us at Privacy@ChateauLLC.com.