Health Plans Privacy Notice

Important Note

The Privacy Notice below applies to you only if: You are a user of rethink services in your capacity as an insured person under a health plan or you are an employee (or dependent of an employee) of a health plan organization or a health provider, and you access the rethink services directly from rethink (or through a rethink channel partner that is a health plan organization). In all other situations, you should consult our General Privacy Notice.

1. Introduction

This Privacy Notice (“Notice”) describes how the Rethink Benefits and RethinkCare divisions of Rethink Autism, Inc. (“Rethink”, “we”, “us”, “our”) collects, uses, discloses, secures, and eventually disposes of (collectively “processes”) your personal information when you are an insured person under, or an employee (or dependent of an employee) of, a health plan or health provider (henceforth “plan”). Personal information is any information that does, or could, identify you. This Notice applies to personal information collected on the subscription-only sections of our websites (rethinkbenefits.com/eb/ and rethinkcare.com), mobile apps (Rethink Benefits and RethinkCare), their associated technologies and communications media, and in the course of any offline contact with you (collectively the “services”). Our services may contain links to external websites. This Notice does not cover those sites. In this Notice, “you” refers to anyone about whom we process personal information. You will usually be an insured person under, or an employee (or dependent of an employee) of, a plan that is a customer of Rethink or a Rethink channel partner; a parent of a child in whose interests the services are used; or a member of a “support team” (for example, a family member or teacher) who is invited to participate in the services. For parents and legal guardians, “your personal information” includes your child’s personal information. In this Notice, “primary user account holder” means the plan insured person or employee who enrolls for the services. Rethink provides online tools, content, and related services for health plans in three distinct environments: (1) “Parental Success” (formerly known as “Rethink Benefits At Home”) supports families of individuals with learning, social, or behavioral challenges; (2) “Professional Resilience” (formerly known as “Rethink Benefits At Work”) helps employers increase neurodiversity inclusion in the workforce, and (3) Personal Wellbeing assists patients and employees to increase their mental wellbeing and work performance. Rethink is a “processor” (also called a “service provider”) for personal information that is processed in our services for health plans. The plans are the “controllers” of your information. As a processor, we handle your information only on the plan’s behalf and according to its instructions. This Notice describes how we process your information on behalf of the controller. Note that this Notice does not cover your plan’s processing of your information outside our services. Rethink Benefits and RethinkCare are part of the Rethink group of businesses. This Privacy Notice applies only to the Rethink Benefits and RethinkCare divisions.

2. Changes to this Notice

We will update this Notice from time to time and will communicate material changes to you through an appropriate channel (for example, via a notice in our services). The Notice was last updated on July 21, 2023.

3. Personal information we collect

3.1 Categories collected

We collect the following categories of personal information:

Identifiers such as your name, e-mail address, username, and IP address.
Additional personal information defined by certain applicable US state laws: address, telephone number.
Protected classification characteristics and EU “special categories of personal data”, such as gender and health information.
Commercial information, such as your purchases from us.
Internet activity/usage on our websites and applications.
Employment-related information, such as your job role or title.

3.2 Categories of sources

We collect the categories of personal information listed above from the following categories of sources:

Directly from you, for example when you complete an online form or provide information about you or your child during a Rethink consultation video call.
From other users of the services, for example if an invited caregiver mentions your child’s progress in acquiring a skill during a consultation.
We may receive information about you from your plan, for example your work e-mail address or plan member ID so that we can give you access to the service.
From observing your activity on our services, for example via cookies, other standard online technologies, and our routine monitoring and recording of your service usage.

3.3 Items of personal information collected

When we collect personal information directly from you, you will know the details of that information. For Parental Success, it may include:

Login credentials (username and password).
Name, job role, e-mail address, telephone number; country, state, and city of location.
Your schedule of appointments with Rethink behavioral consultants or when you have participated in a Parent Discussion Group.
Information you choose to provide if you create a profile, for example a child’s profile may include name, date of birth, school grade, photo, and developmental disabilities and concerns. Providing such information is completely optional and is not essential for you to use the services.
Information you choose to provide to Rethink behavioral consultants in the course of a written, phone, or video consultation.
Information you choose to provide about your child when participating in a Parent Discussion Group.
Any details about yourself that you reveal as you use free-form features of the services, for example you might mention your favorite activity with your child during a consultation video call with a Rethink behavioral consultant or include your family in a photograph you upload to the My Files area of the services.
Assessments you complete in the services, for example a parent stress assessment.

For Professional Resilience, it may include:

Login credentials (username and password).
Name, job role, e-mail address, telephone number; country, state, and city of location.
Your scheduled of consultations with Rethink neurodiversity consultants.
Any details about yourself that you might reveal during a neurodiversity consultation with a Rethink consultant, for example you could refer to your strengths and challenges as an employee or manager.
Information from training modules you take, for example your quiz score after taking a neurodiversity inclusion training module.

For Personal Wellbeing, it may include:

Login credentials (e-mail and password).
Name and country of residence.
The sessions and courses that you “like”.
Ratings and feedback that you give us about the service.

We collect personal information from other users of the services only in Parental Success. For example, a support team member may, during a consultation with a Rethink consultant, volunteer information about how you interact with your child. Unless otherwise instructed by your plan, which support team members (for example, a spouse or therapist) are invited to access the services is under the control of the primary user account holder. The primary user account holder and/or the plan (as applicable) also determine their level of access to the services (for example, whether or not they can view consultation session notes). When we receive information about you from your plan, it may include:

Your name, e-mail address, DOB, or plan member ID.
Other information items selected by your employer to assist segmentation of service usage reports, for example your work location and department.

We collect personal information from observing your activity on our services:

We track how you use our subscription-only content, for example how much time you spend interacting with it and which sessions and courses you complete.
We routinely monitor and record your usage of our subscription-only services for the purpose of providing service security and effective user support.
We use cookies and other standard online technologies in our public and subscription-only services. Cookies allow us to recognize your device. We use them to collect information about your device and how you use our services, for example which pages you visit and how long you stay on them. Cookies also facilitate, for example, logging into and navigating our services.

4. How we use your personal information

We use your personal information in our services for health plans solely on your plan’s behalf and according to its instructions. Remember that your plan is the “controller” of the personal information processed in our services. This Privacy Notice does not cover how the plan uses your information, which will be determined by its own legal obligations and policies. When your plan is a Covered Entity under the US Health Insurance Portability and Accountability Act (HIPAA), our relationship with it is that of Business Associate. Rethink will never sell your personal information. Rethink may use your personal information for the following purposes:

To provide our services, for example to manage log-ins and maintain the security and confidentiality of data contained in the services; to schedule and hold consultations with our consultants; to schedule and hold Parent Discussion Groups; to communicate essential service information to you; to recommend content to you based on your child’s needs as reported by you; to provide customer support; and to monitor compliance with our Terms of Use.
To help us improve our services and user experience, for example by identifying which parts of our services you find useful or difficult to use. For this purpose, we use anonymized and aggregated information that does not identify you and from which you cannot reasonably be re-identified.

5. Disclosure of your personal information

Who we disclose your personal information to depends on the specific items of information and the purposes we use them for. Your personal information may be disclosed to the following categories of recipients:

Your plan: When instructed by your plan, we will provide it (or parties designated by it) with access to any personal information contained in the services.
Employees and contractors of Rethink: These personnel have roles that require access to your information (a “need to know”). They are bound by employment terms that cover their obligation to keep personal information confidential and secure and have been trained in US law governing confidentiality of personal health information.
Service providers (“processors”): We use service providers to perform certain tasks for us, for example hosting our services on a Cloud computing platform or providing secure video calling functionality. Service providers process your data on our behalf and according to our instructions. They are contractually bound to protect your data and are prohibited from using it for their own purposes.
Other third parties: We may disclose de-identified information to third parties, for example business partners or research organizations. “De-identified” information is stripped of attributes that tie it to a particular individual and which cannot reasonably be reconnected to that individual.
Disclosure information applicable only to specific services:

Parental Success: (1) Personal information collected in our Parental Success environment may be disclosed to other authorized users of the services. Authorized users and their level of access to the services are determined by the primary user account holder, and where so instructed, by the plan. (2) Note that for Parent Discussion Groups we encourage participants to keep any information disclosed by other participants private and confidential. However, there can be no guarantee of full confidentiality and you should think carefully before disclosing any personal information when participating in the groups.
Professional Resilience: Note that Professional Resilience is not designed for the disclosure to Rethink consultants of identifying information about individuals who are the subject of a consultation, and primary user account holders are actively discouraged from making such disclosures.

We have in the preceding 12 months disclosed the following categories of personal information to “service providers” (defined above):

Identifiers such as your name, email address, username, and IP address.
Additional personal information defined by certain applicable US state laws: address, telephone number.
Internet activity/usage on our websites and applications.
Protected classification characteristics and EU “special categories of personal data”, such as gender and health information.

We will also disclose your personal information in the following exceptional circumstances:

Corporate event: Your data may be transferred to third parties as a result of a merger, acquisition, or similar corporate event involving Rethink.
Legal necessity: We will disclose your information to government agencies, law enforcement, courts, and other authorities and parties if required to by applicable law. Note that information you provide to Rethink, including to our behavioral consultants in the course of a training session, may not be protected by physician-patient privilege.
Individual’s vital interests: If we reasonably believe based on information posted on or provided in relation to our services that the safety or vital interests of an individual are at risk, we will disclose personal information to relevant parties as necessary to assist the individual.
Protection of Rethink’s interests: Where permitted by applicable law, we may disclose personal information to our professional advisors and other qualified parties when we reasonably believe it to be necessary to protect our essential business interests.

6. Information security

We employ technical, physical, and administrative security measures appropriate to the categories of personal information processed in our services. These measures include, for example: encryption at rest and in transit, roles-based access, firewalls, and anti-virus software. For more details of our practices, please consult our Information Security Standards statement. We protect information about individual’s diagnoses, treatments, and outcomes with particular care. Rethink is HITRUST CSF certified. HITRUST CSF is a security and privacy framework that covers, among others, HIPAA and National Institute for Standards and Technology (NIST) standards. No matter how carefully we safeguard your information, it is unfortunately not possible to guarantee that it will never be accidentally or illegally breached.

7. Data retention

We receive your personal information as a processor and will retain it for the duration of the processing contract and then, according to the controller’s instructions, return it to them, delete it, or transfer it to another service provider.

8. International transfer

Rethink is based in the United States. Your personal information is stored on our systems in the US. If you live in the European Union, European Economic Area, or UK, note that the European Commission has not issued an unlimited adequacy decision for the US. Privacy safeguards for EU/EEA-US data transfers are the responsibility of the data controller. Rethink Benefits collaborates with our EU/EEA customers to put in place GDPR-recognized safeguards for international transfer.

9. Your rights

US and international laws give you various rights over your personal information and that of your child. These may include the right to:

Access personal information held about you
Correct inaccurate or out-of-date personal information
Request deletion of your personal information
Restrict processing of your personal information
Data portability: Receive your personal information in a readily useable format

In most cases, you will be able to access, correct, or delete your information yourself through your account. In other cases, you should contact your plan (the controller) with any request to exercise privacy rights. If necessary, however, please contact Rethink Benefits using the contact information in Section 10 of this Notice. We will endeavor to facilitate your request. If you believe that we have infringed your privacy rights, please contact us so that we can try to resolve the issue. However, if you are an EU/EEA/UK resident, you have the right to lodge a complaint with your EU/ EEA local supervisory authority or, in the UK, with the ICO.

10. Contact us

Data Protection Officer: [email protected] or +1 646 257 2919 ext. 800 Rethink Autism, Inc. 49 West 27th Street, 8th Floor New York, NY 10001 USA EU Representative: MyEDPO Ltd, Unit 3d North Point House, North Point Business Park, New Mallow Road, Cork, Ireland [email protected] or +44 203 870 3376.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Analytics" category .
cookielawinfo-checkbox-functional	1 year	The cookie is set by the GDPR Cookie Consent plugin to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Necessary" category .
cookielawinfo-checkbox-non-necessary	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Non-necessary" category .
elementor	never	This cookie is used by the website's WordPress theme. It allows the website owner to implement or change the website's content in real-time.
viewed_cookie_policy	1 year	The cookie is set by the GDPR Cookie Consent plugin to store whether or not the user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gd_session	4 hours	This cookie is used for collecting information on users visit to the website. It collects data such as total number of visits, average time spent on the website and the pages loaded.
_gd_svisitor	2 years	This cookie is set by the Google Analytics. This cookie is used for tracking the signup commissions via affiliate program.
_gd_visitor	2 years	This cookie is used for collecting information on the users visit such as number of visits, average time spent on the website and the pages loaded for displaying targeted ads.

Cookie	Duration	Description
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.

Cookie	Duration	Description
_an_uid	7 days	No description available.
6suuid	2 years	No description available.
AnalyticsSyncHistory	1 month	No description
li_gc	2 years	No description

Cookie	Duration	Description
__lc_cid	2 years	This is an essential cookie for the website live chat box to function properly.
__lc_cst	2 years	This cookie is used for the website live chat box to function properly.
__oauth_redirect_detector	past	This cookie is used to recognize the visitors using live chat at different times inorder to optimize the chat-box functionality.
bcookie	2 years	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
bscookie	2 years	LinkedIn sets this cookie to store performed actions on the website.
lang	session	LinkedIn sets this cookie to remember a user's language setting.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.