Notice of Privacy Practices
THIS NOTICE DESCRIBES HOW HEALTH INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW THIS NOTICE CAREFULLY.
Notice of Privacy Practices, updated and effective July 1, 2025.
This Notice has been drafted to comply with the “HIPAA Privacy Rules,” under federal law. Any terms that are not defined in this Notice have the meaning specified in the HIPAA Privacy Rules.
Please provide this Notice to your family.
ATTENTION: If you speak a language other than English, language assistance services that are free of charge are available to you. Contact your employer’s Human Resources department to request these services. Asset Health’s Customer Support also can assist in connecting you to your Wellness Plan sponsor’s translation service.
How We Protect Your Privacy
We are required by law to protect the privacy of your protected health information (PHI) and to provide you with this notice of our privacy practices. We will not disclose confidential information without your authorization unless it is necessary to provide your health benefits and administer the Plan(s), or as otherwise required or permitted by law. When we need to disclose individually identifiable information, we will follow the policies described in this Notice to protect your confidentiality.
We maintain confidential information and have procedures for accessing and storing confidential records. We restrict internal access to your confidential information to employees who need that information to provide your benefits. We train those individuals on policies and procedures designed to protect your privacy. Our Privacy Officer monitors how we follow those policies and procedures, and educates our organization on this important topic.
How We May Use and Disclose Your Protected Health Information
We will not use your confidential information or disclose it to others without your written authorization, except for the purposes, listed in this section. When required by law, we will restrict disclosures to the Limited Data Set, or otherwise as necessary, to the minimum necessary information to accomplish the intended purpose.
Treatment. We may disclose your PHI to your health care provider for the provision, coordination or management of your health care and related services. For example, we may disclose your PHI to a health care provider when the provider needs that information to provide treatment to you.
Disclosures to the Plan Sponsor. We may only disclose aggregate summary health information to the Plan Sponsor, but not personally identifiable information.
Disclosures to Business Associates. We contract with individuals and entities (“business associates”) to perform various functions on our behalf or provide certain types of services. To perform these functions or provide these services, our business associates will receive, create, maintain, use or disclose PHI. We require the business associates to agree in writing to contract terms to safeguard your information, consistent with federal law.
Disclosures to Family Members or Others. Unless you object, we may provide relevant portions of your PHI to a family member, friend or other person you indicate is involved in your health care. If you are not capable of agreeing or objecting to these disclosures because of, for example, an emergency situation, we will disclose limited PHI, only to resolve the emergency. After the emergency, we will give you the opportunity to object to future disclosures to family and friends.
Other Uses and Disclosures.The law allows us to disclose PHI without your prior authorization in the following circumstances:
- Required by law. We may use and disclose your PHI to comply with the law.
- Public health activities. We will disclose PHI when we report to a public health authority for purposes such as public health surveillance, public health investigations or suspected child abuse.
- Reports about victims of abuse, neglect or domestic violence. We will disclose your PHI in these reports only if we are required or authorized by law to do so, or if you otherwise agree.
- To health oversight agencies. We will provide PHI as requested to government agencies that have the authority to audit or investigate our operations.
- Lawsuits and disputes. If you are involved in a lawsuit or dispute, we may disclose your PHI in response to a subpoena or other lawful request, but only if efforts have been made to tell you about the request or obtain a court order that protects the PHI requested.
- Law enforcement. We may release PHI if asked to do so by a law enforcement official in the following circumstances: (a) to respond to a court order, subpoena, warrant, summons or similar process; (b) to identify or locate a suspect, fugitive, material witness or missing person; (c) to assist the victim of a crime if, under certain limited circumstances, we are unable to obtain the person's agreement; (d) to investigate a death we believe may be due to criminal conduct; (e) to investigate criminal conduct; and (f) to report a crime, its location, or victims, or the identity, description or location of the person who committed the crime (in emergency circumstances).
- Medical research. We may disclose PHI for medical research projects, subject to strict legal restrictions.
- Serious threat to health or safety. We may disclose your PHI to someone who can help prevent a serious threat to your health and safety or the health and safety of another person or the general public.
Uses and Disclosures With Your Written Authorization
We will not use or disclose your confidential information for any purpose other than the purposes described in this Notice, without your written authorization. For example, we will not 1) supply confidential information to another company for its marketing purposes, 2) sell your confidential information, or 3) provide your confidential information to a potential employer with whom you are seeking employment, without your signed authorization. You may revoke an authorization that you previously have given by sending a written request to our Privacy Officer, but not with respect to any actions we already have taken.
Your Individual Rights
You have the following rights:
Right to inspect and copy your protected health information. Except for limited circumstances, you may review and copy your PHI. Your request must be addressed to the Privacy Officer. In certain situations we may deny your request, but if we do, we will tell you in writing of the reasons for the denial and explain your rights with regard to having the denial reviewed. If the information you request is in an electronic health record, you may request that these records be transmitted electronically to yourself or a designated individual.
If you request copies of your PHI, we may charge you a reasonable fee to cover the cost. Alternately, we may provide you with a summary or explanation of your PHI, upon your request, if you agree to the rules and cost (if any) in advance.
In the event your employer, as sponsor of its wellness plan, terminates the services of Asset Health, pursuant to our contractual requirements and the governing HIPAA and HITECH regulations, Asset Health is required to proceed with deidentification of and ultimate destruction of your PHI securely stored by Asset Health.
Right to correct or update your protected health information. If you believe that the PHI we have is incomplete or incorrect, you may ask us to amend it. Your request must be made in writing and must be addressed to the Privacy Officer. To process your request, you must use the form we provide and explain why you think the amendment is appropriate. We will inform you in writing whether the amendment will be made or denied. If we agree to make the amendment, we will make reasonable efforts to notify other parties of your amendment. If we agree to make the amendment, we will also ask you to identify others you would like us to notify.
We may deny your request if you ask us to amend information that:
- Was not created by us, unless the person who created the information is no longer available to make the amendment;
- Is not part of the PHI we keep about you;
- Is not part of the PHI that you would be allowed to see or copy; or
- Is determined by us to be accurate and complete.
If we deny the requested amendment, we will notify you in writing how to submit a statement of disagreement or complaint, or request inclusion of your original amendment request as part of your PHI.
Right to obtain a list of the disclosures. You have the right to get a list of PHI disclosures, which also is referred to as an accounting. You must make a written request to the Privacy Officer to obtain this information.
The list will not include disclosures we have made as authorized by law. For example, the accounting will not include disclosures made for treatment, payment and health care operations purposes (except as noted in the following paragraph). Also, no accounting will be made for disclosures made directly to you or under an authorization that you provided or those made to your family or friends. The list will not include other disclosures, including incidental disclosures, disclosures we have made for national security purposes, disclosures to law enforcement personnel, or disclosures made before April 14, 2003. The list we provide will include disclosures made within the last six years unless you specify a shorter period.
You may also request and receive an accounting of disclosures of electronic health records made for payment, treatment or health care operations during the prior three years for disclosures made on or after 1) January 1, 2014, for electronic health records acquired before January 1, 2009, or 2) January 1, 2011, for electronic health records acquired on or after January 1, 2009.
The first list you request within a 12-month period will be free. You may be charged for any additional lists within a 12-month period.
Right to choose how we communicate with you. You have the right to ask that we send information to you at a specific address (for example, at work rather than home) or in a specific manner (for example, by email rather than regular mail). We must agree to your request if you state that disclosure of the information may put you in danger.
Right to request additional restrictions on health information. You may request restrictions on our use and disclosure of your confidential information for the treatment, payment and health care operations purposes explained in this Notice. While we will consider all requests for restrictions carefully, we are not required to agree to a requested restriction. However, we must comply with your request to restrict a disclosure of your confidential information for payment or health care operations if you paid for these services in full, out of pocket.
Questions and Complaints
If you believe your privacy rights have been violated, you may file a complaint with us or the U.S. Department of Health and Human Services. To file a complaint with us, put your complaint in writing and address it to the Privacy Officer listed below. The Plan(s) will not retaliate against you for filing a complaint. You may also contact the Privacy Officer if you have questions or comments about our privacy practices.
Future Changes to Our Practices and This Notice
We are required to follow the terms of the privacy notice currently in effect. However, we reserve the right to change our privacy practices and make any such change applicable to the PHI we obtained about you before the change. If a change in our practices is material, we will revise this Notice to reflect the change. We will send or provide a copy of the revised Notice. You may also obtain a copy of any revised Notice by contacting the Privacy Officer.
Contact Information
John J. Wilson
General Counsel
Asset Health
2250 Butterfield Drive, Suite 210
Troy, MI 48084
(248) 822-7441
jwilson@assethealth.com
ADA and GINA Notice
Notice Regarding Your Wellness Program
If you choose to participate in the wellness program, you may be asked to complete a voluntary Health Assessment (HA) — also referred to as a Health Risk Assessment (HRA), Health Risk Questionnaire (HRQ), Wellness Assessment (WA), Personal Health Assessment (PHA), or Health Behavior Questionnaire (HBQ) — that asks a series of questions about your health-related activities and behaviors and whether you have or had certain medical conditions (e.g., cancer, diabetes, heart disease). You may also be asked to complete a biometric screening (which will include a blood test) for various biometric measurements, e.g., BMI, blood pressure, glucose, etc. You are not required to complete the HA, biometric screening or other medical examinations.
However, eligible individuals who choose to participate in the wellness program may receive an incentive for completing the HA and/or participating in the biometric screening. Although you are not required to complete the HA or biometric screening, only eligible individuals who do so will receive any available incentives.
Additional incentives may be available for individuals who participate in certain health-related activities or achieve certain health outcomes, e.g., weight loss, smoking cessation, lower blood pressure, etc. If you are unable to participate in any of the health-related activities, or achieve any of the health outcomes required to earn an incentive, you are entitled to a reasonable accommodation or an alternative standard. You may request a reasonable accommodation or an alternative standard by contacting your wellness program administrator or Human Resources department.
The information from your HA and biometric screening will help you understand your current health and potential risks, and may also be used to offer you services through the wellness program, such as coaching, iKnowledge (online wellness) courses, etc. You also are encouraged to share your results or concerns with your personal health care provider.
Protections from Disclosure of Medical Information
We are required by law to maintain the privacy and security of your personally identifiable health information. Although the wellness program and your employer may use aggregate information they collect to design a program based on identified health risks in the workplace, the wellness program will never disclose any personal information publicly or to the employer, except as necessary to respond to a request from you for a reasonable accommodation needed to participate in the wellness program, or as expressly permitted by law. Medical information that personally identifies you, provided in connection with the wellness program, will not be provided to your supervisors or managers and may never be used to make decisions regarding your employment.
Your health information will not be sold, exchanged, transferred or otherwise disclosed except to the extent permitted by law to carry out specific activities related to the wellness program. You will not be asked or required to waive the confidentiality of your health information as a condition of participating in the wellness program or receiving an incentive. Anyone who receives your information for purposes of providing you services as part of the wellness program must abide by the same confidentiality requirements. The only individuals who will receive your personally identifiable health information are those determined to be necessary - such as a “qualified health professional,” “wellness program administrator” or “health coach" - to provide you with services under the wellness program.
Additionally, all medical information obtained through the wellness program will be maintained separate from your personnel records. Information stored electronically will be encrypted, and no information you provide as part of the wellness program will be used in making any employment decision. Appropriate precautions will be taken to avoid any data breach. In the event a data breach occurs involving information you provide in connection with the wellness program, we will notify you immediately.
You may not be discriminated against in employment because of the medical information you provide through participation in the wellness program, nor may you be subjected to retaliation if you choose not to participate.
If you have questions or concerns regarding this notice, or about protections against discrimination and retaliation, please contact your wellness program administrator or Human Resources department.
Medical Disclaimer
The content contained in the Asset Health System, including but not limited to text, graphics, images, audio, video, animations, etc. ("Content"), are for informational purposes only. The Content is not intended to be a substitute for professional medical advice, diagnosis or treatment; nor is it a replacement for financial or benefits advice that you may receive from your Human Resources Department or personal financial adviser. You should always seek the advice of your physician or other qualified health care provider with any questions you may have regarding a medical condition; you should always seek the advice of your Human Resources Department or personal financial adviser with any questions you may have regarding health care benefits or financial-related health care issues. Asset Health is not in the business of providing medical, health care or financial advice. Reliance on any Content is solely at your own risk. Asset Health is in compliance with the Americans with Disabilities Act. If you require an accommodation, please contact Human Resources.
Privacy Policy
Privacy Policy updated and effective July 1, 2025.
Asset Health ("Us," "We," or "Our") created this Privacy Policy ("Privacy Policy") to ensure the confidence of users ("you" or "your") of our Asset Health software program and website (collectively, the "Product"), and to demonstrate our commitment to fair information practices and the protection of privacy.
1. Types of Information Collected.
a. Traffic Data Collected. We automatically track and collect the following information when you use our Product, including your: (i) IP address; (ii) domain server; (iii) type of computer; (iv) type of web browser; and (v) information on your usage of the Product, including Courses completed or not completed and your performance on our Assessments (collectively, "Traffic Data"). Traffic Data is anonymous information associated with you that identifies you and is helpful for reporting purposes or for improving your experience with the Product.
b. Personal Information Collected. In order for you to access the Products, we require you to provide us with information that personally identifies you ("Personal Information"). Personal Information may include: (i) Contact Data (such as your name and email addresses); and (ii) Demographic Data (such as your ZIP code). If you communicate with us by email, post messages to any of our chat groups, or otherwise complete online forms or surveys, any information provided in such communication may be collected as Personal Information.
c. Health and Wellness Information ("Health Data") Collected and/or Accessed. Depending on your employer’s wellness program requirements and the features made available to you through the Product, we may collect, store, and process health and wellness information, which may include information that is protected health information ("PHI") when applicable (Health Data). Health Data may include, as required by your wellness program: biometric screening results and measurements (for example BMI, blood pressure, glucose, or similar biometrics); responses and results from health assessments (including HRAs/health risk questionnaires); activity and fitness information (for example activity minutes, workouts, steps); sleep-related information (for example sleep duration and sleep activity summaries); and other wellness program-related health indicators required by your employer’s wellness plan. Health Data is collected only as needed to provide the wellness program services and features made available to you.
d. How Health Data is Collected. Health Data may be collected from you directly (for example, when you complete an assessment or enter information), from wellness program service providers (for example, biometric screening vendors), and/or from device or platform integrations you choose to enable where offered (for example, activity/step/sleep sources). The specific categories collected depend on your employer’s wellness program configuration.
2. Uses of Information Collected.
a. General Uses. We use Contact Data to contact you if necessary, including to provide Product-related notices and support.
b. How We Use Health Data. We use Health Data to provide and administer the wellness program services and Product features made available to you, which may include: (i) generating wellness results, insights, or summaries for you; (ii) enabling coaching, courses, or program activities; (iii) confirming completion of program requirements for incentives where applicable; (iv) improving and maintaining Product functionality, security, and support; and (v) producing de-identified or aggregated reporting as permitted by law and contract (for example, summary program reporting that does not identify you individually). We do not sell your Health Data.
3. Where Information is Stored.
Information collected through the Product (including Health Data and Personal Information) is stored on secure servers in a secure datacenter. We use administrative, technical, and physical safeguards designed to protect the confidentiality, integrity, and availability of the information we maintain.
4. Sharing and Disclosure of Information.
Except as otherwise provided in this Privacy Policy, we will keep your Personal Information and Health Data private and will not share it with third parties, unless such disclosure is necessary to: (a) comply with a court order or other legal process; (b) protect our rights or property; or (c) enforce our Terms of Use Agreement. We may also share Health Data with service providers that support the operation of the wellness program (for example, hosting, service analytics used to operate the Product, biometric screening or coaching vendors) under contractual requirements to protect confidentiality and security, and only as needed to provide services.
We will never disclose the entries to your personal online "Journal" to any third parties. Only you and the Asset Health staff will have access to these entries. The Asset Health staff has access to these entries solely for the purpose of properly administering the Product.
5. Confidentiality and Security of Personal Information.
We use reasonable safeguards designed to protect Personal Information and Health Data from unauthorized access, use, disclosure, alteration, and destruction. Access is limited to authorized personnel and service providers who need the data to support the Product.
6. Lost or Stolen Information.
You must promptly notify us if your user name or password is lost, stolen or used without permission. In such an event, we will cancel that user name or password, issue you a new user name and password, and update our records accordingly.
7. Other Limits to Your Privacy.
The Product contains links to other websites. We are not responsible for the privacy practices or the content of such websites. We may also make chat rooms, news and other services available to you. Understand that any Information you disclose in these areas becomes public information. We have no control over its use, and you should exercise caution when deciding to disclose your Personal Information.
8. Data Retention.
a. Retention Period. We retain Personal Information and Health Data for as long as necessary to provide the Product and administer your employer-sponsored wellness program, and as required under the terms of the agreement with your employer (the wellness plan sponsor) and applicable law.
b. Employer Program Changes / Termination. If your employer terminates the wellness program services with Asset Health, we will handle Health Data in accordance with our contractual obligations and applicable law, which may include de-identification and secure destruction of PHI.
c. Backups. Backups are maintained on a rolling basis for business continuity and disaster recovery purposes and are overwritten on a scheduled cycle. As a result, information may persist in backups for a limited period after deletion or program termination, after which it is overwritten or securely destroyed.
9. Deletion of Data / How to Request Deletion.
Because users do not create an account in the Product, deletion requests are handled through your employer’s wellness program administration process.
a. How to Request Deletion. You may request deletion of your Personal Information and/or Health Data by: (i) contacting your employer’s Human Resources department or wellness program administrator; or (ii) contacting Asset Health’s Privacy Officer using the contact information in this document.
b. What We Delete and When. When we receive a verified request, we will delete or de-identify your Personal Information and/or Health Data as appropriate, subject to: (i) any retention obligations under the agreement with your employer; and (ii) applicable legal requirements. If deletion cannot be completed immediately due to contractual or legal retention requirements, we will restrict the data and delete it when permissible.
c. Timing. Verified deletion requests are generally completed within 30 days, unless additional time is required due to legal, contractual, or technical constraints (for example, backup retention cycles).
10. Updates and Changes to Privacy Policy.
We reserve the right, at any time and without notice, to add, change, update or modify this Privacy Policy simply by posting such change, update or modification on our website. Any such change, update or modification will be effective immediately upon posting on our website.