PRIVACY POLICY - CALIFORNIA PRIVACY RIGHTS AND DISCLOSURES

This Privacy Policy explains how Humana, Inc. and its affiliates (together, “Humana”, or “we,” or “us,” or “our”) collect information based on your interactions with us, our websites and mobile applications. This Policy applies to Humana’s collection and use of California residents’ Personal Information, including where such use or collection may be governed by the California Consumer Privacy Act (CCPA). This Policy does not cover information that is exempted from the privacy policy notification requirements of the CCPA, including information about customers and clients that is covered by GLBA, HIPAA, HITECH, or the California Confidentiality of Medical Information Act; information about employees, contractors and medical staff members, which we cover in separate notices; information about job applicants and information processed exclusively in the context of a business person acting in a business capacity. Where exceptions to the CCPA apply to a request you submit, we will provide you with an explanation as to why.

I. Personal Information Collected in the Past 12 Months

We collect, process and store various types of Personal Information. For purposes of this Policy, “Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. It does not include de-identified or aggregate information, or public information lawfully available from governmental records.

The following list describes the categories of Personal Information covered by this Policy that we may have collected in the past 12 months and, for each category, where and why we collected it, and the categories of entities with which we shared the Personal Information.

• Category A – Identifiers
  • Examples: Name, postal address, Internet Protocol address, email address, or other similar identifiers.
• Category B – Protected classification characteristics under California or federal law
  • Examples: age (over 40); sex/gender (including pregnancy, childbirth, breastfeeding and/or related medical conditions); gender identity or gender expression; marital status; military or veteran status;
• Category C – Commercial information
  • Examples: records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
• Category D – Internet or other electronic network activity information, including browsing and search history
  • Examples: Access history and information on your interaction with our application.
  • See, Humana Internet Privacy Statement
• Category E – Professional or employment-related information on Humana associates
  • Examples: Occupation, employer information.
• Category F – Education Information
  • Examples: Education level, school attended.
• Category G – Audio, electronic, visual, thermal, olfactory, or similar information
• Category H - Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

Purpose of Collection

• Provision of services to clients and potential clients, such as to process transactions, maintain account(s), respond to inquiries, particularly as relates to our wellness programs (“provision of services”)
• Business operations, such as processing or fulfilling claims, coordinating benefits, and processing payments; managing administrative matters such as invoicing, renewal or to audit customer transactions; Developing, maintaining, provisioning or upgrading networks, services or devices; conducting analytics to determine how to improve our services and develop new ones (“Business operations”)
• Managing and responding to legal and regulatory requirements and requests, such as responding to court orders and legal investigations (“legal and regulatory requirements”)
• Security, crime, and fraud prevention, such as protecting our systems and networks from unauthorized access and attacks, securing our facilities and personnel, verifying identities (“security and crime prevention”)
• Marketing purposes – offering [our] services to you
• Operating our websites and mobile apps

We obtain the categories of personal information listed above from the following categories of sources:

• Humana’s clients, enrollees, or people interested in Humana’s products or services, including family members or representatives of the above
• Information collected automatically through our websites or mobile applications, including through cookies
• Publicly available sources
• Subscription services
• Web-scraping
• Cookies

In the past 12 months, we have disclosed the following categories of Personal Information for business purposes:

• Category A: Identifiers.
• Category B: Protected classification characteristics under California or federal law.
• Category C: Commercial information.
• Category D: Internet or other electronic network activity information, including browsing and search history, See, Humana Internet Privacy Statement
• Category F: Education Information.
• Category G: Geolocation Data

• Humana’s affiliates
• Service providers
• Business partners (e.g., referrals of business contacts or job applicants)
• Research institutions
• Healthcare providers
• Healthcare clearinghouses
• Other third parties as directed by our enrollees
• Regulators

We have not sold any Personal Information in the past 12 months.

With respect to each of the categories of data above, we may also collect and share Personal Information with third parties to comply with legal obligations; when we believe in good faith that an applicable law requires it; at the request of governmental authorities or other third parties conducting an investigation; to detect and protect against fraud, or any technical or security vulnerabilities; to respond to an emergency; or otherwise to protect the rights, property, safety, or security of our business, third parties, visitors to our websites and mobile apps, or the public. We may also share Personal Information with any person to whom we transfer any of our rights or obligations under any agreement, or in connection with a sale, merger or consolidation of our business or other transfer of our assets, whether voluntarily or by operation of law, or who is otherwise deemed to be our successor or transferee.

II. Personal Information We Will Continue to Collect About You and Why

We will continue to collect the same categories of Personal Information listed above, for the same purposes. If this should change, we will issue an updated Privacy Notice.

Rights Related to Personal Information Held by Us

We are committed to ensuring that you know what Personal Information we collect. To that end, you can ask us for the categories and specific pieces of your Personal Information that we’ve collected about you in the 12 months prior to our receipt of your request.

If you ask us for information about the categories of Personal Information we’ve collected, for each identified category, you may receive the following information:

• The categories of sources from which your Personal Information was collected.
• The business or commercial purposes for collecting your Personal Information.

We are also committed to ensuring that you know what information we share about you. Thus, if you ask us for information about the categories of Personal Information we’ve collected, for each identified category, you may receive the following additional information:

• The categories of third parties to which we’ve sold that Personal Information, and the business or commercial purpose for doing so.
• The categories of Personal Information that we’ve shared with service providers who provide services for us.

Our responses to any of these requests will cover the 12-month period preceding our receipt of the request.

Upon your request, we will delete the Personal Information we have collected about you, except for situations where specific information is necessary for us to: provide you with a good or service that you requested; perform a contract we entered into with you; maintain the functionality or security of our systems; or comply with or exercise rights provided by the law. The law also permits us to retain specific information for our exclusively internal use, but only in ways that are compatible with the context in which you provided the information to us or that are reasonably aligned with your expectations based on your relationship with us.

Residents of the State of California, under certain provisions of the California Civil Code, have the right to request from companies conducting business in California a list of all third parties to which the company has disclosed certain personally identifiable information as defined under California law during the preceding year for third-party direct marketing purposes. You are limited to one request per calendar year. In your request, please attest to the fact that you are a California resident and provide a current California address for our response. You may request the information in writing by contacting the Humana Privacy Office, PO Box 1438, Louisville, KY 40202.

III. Exercising Your Rights and How We Will Respond

To exercise any of the rights above, or to ask a question, use the contact details set out at the end of this Privacy Policy to contact us.

For requests for access or deletion, we will first acknowledge receipt of your request within 10 days of receipt of your request. We provide a substantive response to your request as soon as we can, generally within 45 days from when we receive your request, although we may be allowed to take longer to process your request in certain jurisdictions or under certain circumstances. If we expect your request is going to take us longer than normal to fulfill, we will let you know.

We usually act on requests and provide information free of charge, but we may charge a reasonable fee to cover our administrative costs of providing the information in certain situations.

In some cases, the law may allow us to refuse to act on certain requests. When this is the case, we will endeavor to provide you with an explanation as to why.

IV. Verification of Identity – Access or Deletion Requests

We will ask you for at least three pieces of Personal Information and endeavor to match those to information we maintain about you. Additionally, we require that you provide a declaration attesting to your identity, signed under penalty of perjury.

If we are unable to verify your identity with the degree of certainty required, we will not be able to respond to the request. We will notify you to explain the basis of the denial. Additionally, we will treat the request as one seeking disclosure of the categories of Personal Information we have collected about you and endeavor to verify your identity using the less-stringent standards applicable to such requests.

We will ask you for at least two pieces of Personal Information and endeavor to match those to information we maintain about you.

If we are unable to verify your identity with the degree of certainty required, we will not be able to respond to the request. We will notify you to explain the basis of our denial.

We will ask you for at least two pieces of Personal Information and endeavor to match those to information we maintain about you.

If we are unable to verify your identity with the degree of certainty required before providing you with the information requested, we will notify you to explain the basis of our denial.

You may designate an agent to submit requests on your behalf. The agent can be a natural person or a business entity that is registered with the California Secretary of State.

If you would like to designate an agent to act on your behalf, you and the agent will need to comply with our agent verification process. You will be required to verify your identity by providing us with certain Personal Information as described above, depending on whether you hold an account with us or not and the nature of the information your require, which we will endeavor to match the information submitted to information we maintain about you. Additionally, we will require that you provide us with written confirmation that you have authorized the agent to act on your behalf, and the scope of that authorization. The agent will be required to provide us with proof of the agency relationship, which may be a declaration attesting to the agent’s identity and authorization by you to act on their behalf, signed under penalty of perjury. If the agent is a business entity, it will also need to submit evidence that it is registered and in good standing with the California Secretary of State. Information to identify and verify your agent can be submitted through the same mechanism and at the same time that you submit information to verify your identity.

Please note that this subsection does not apply when an agent is authorized to act on your behalf pursuant to a valid power of attorney. Any such requests will be processed in accordance with California law pertaining to powers of attorney.

There may be some types of Personal Information that can be associated with a household (a group of people living together in a single dwelling). Requests for access or deletion of household Personal Information must be made by each member of the household. We will verify each member of the household using the verification criteria explained above.

If we are unable to verify the identity of each household member with the degree of certainty required, we will not be able to respond to the request. We will notify you to explain the basis of our denial.

V. How We Protect Personal Information

We implement and maintain reasonable security appropriate to the nature of the personal information that we collect, use, retain, transfer or otherwise process. Our reasonable security program is implemented and maintained in accordance with applicable law and relevant standards as outlined in the report issued by the California Attorney General in February 2016 on their website, PDF opens new window. Specifically, among other safeguards, our reasonable security program implements and maintains all 20 of the Center for Internet Security’s Critical Security Controls for Effective Cyber Defense identified in Appendix A of the California Attorney General Report. As noted in that report, “there is no perfect security,” and reasonable security is a process that involves risk management rather than risk elimination. While we are committed to developing, implementing, maintaining, monitoring and updating a reasonable information security program, no such program can be perfect; in other words, all risk cannot reasonably be eliminated. Data security incidents and breaches can occur due to vulnerabilities, criminal exploits or other factors that cannot reasonably be prevented. Accordingly, while our reasonable security program is designed to manage data security risks and thus help prevent data security incidents and breaches, it cannot be assumed that the occurrence of any given incident or breach results from our failure to implement and maintain reasonable security.

VI. Consumers Under 18 Years Old

We do not collect or sell Personal Information that we know is from a child under 18 years old.

VII. Changes to This Policy

We will review and update this Policy as required to keep current with rules and regulations, new technologies and security standards. We will post those changes on the website or update the Privacy Policy modification date below. In certain cases and if the changes are material, you will be notified via email or a notice on our website.

VIII. Accessibility

We are committed to ensuring that our communications are accessible to people with disabilities. To make accessibility-related requests or report barriers, please see Humana Accessibility Resources.

IX. Non-Discrimination

We will not discriminate against you in a manner prohibited by the CCPA because you exercise your CCPA rights.

X. Contact us

If there are any questions regarding this Privacy Policy or to request a copy of this Privacy Policy in another format you may contact us using the information below.

Humana Privacy Office
P.O.Box 1438
Louisville, KY 40202
Email: Privacyoffice@humana.com
Phone: 1-866-861-2762