Skip to main content


Effective Date: 11 SEP 2017
Last Updated: 22 JUNE 2020



This Privacy Practices Section applies to the MedSavvy Site’s use and disclosure of your data. Depending on your health plan, benefits, and location, you may have access to the Ask a Pharmacist™ feature and/or the MedSavvy Pharmacy. The MedSavvy Pharmacy is subject to different laws and regulations, and as such its collection, disclosure, and use of your data is subject to a separate Notice of Privacy Practices. The MedSavvy Pharmacy Notice of Privacy Practices will be presented to you for your acceptance the first time you access the MedSavvy Pharmacy.

Your group health plan and/or insurance carrier also maintains a separate Notice of Privacy Practices, which describes their use and disclosure of your data. You should also review and become familiar with that notice.

We, at MedSavvy, know you value your privacy. That is why we are committed to the confidentiality and security of your personal information. We maintain physical, administrative and technical safeguards to protect against unauthorized access, use, or disclosure of your personal information, including information we share internally either orally, electronically, or in writing.

We collect personal information, such as your name, contact information, and health information, from you, your employer, and your insurers that provide you coverage. We are required by law to maintain the privacy of this information and to explain our legal duties and privacy practices. We are also required by law or by contract to notify affected individuals or their insurer, health plan or provider (Covered Entity for which we are a Business Associate) following a breach of unsecured protected health information. We provide the protections and apply the practices described in this notice to all personal information that we maintain, including personal information of former members who are no longer covered by us. We hope this notice will clarify our responsibilities to you and give you an understanding of your rights. We are required to abide by the notice that is currently in effect. This notice is in effect as of September__, 2017.

Your rights
If your health plan or provider contracts with MedSavvy, you may exercise your individual rights (inspection and amendment of records, accounting of disclosures, and special handling requests) under HIPAA by contacting your insurer, health plan or provider. If you have questions, you may call us or write to our Privacy Official. See Contacting Us at the end of this notice. If you want a paper copy of this notice, you can request it in writing. See Contacting Us at the end of this notice.

You have the right to submit a complaint if you believe we have violated your privacy rights. To submit a complaint, write to: MedSavvy, Privacy Office, P.O. Box 1071, Mailstop E12P, Portland, OR 97207 or call us at the phone number provided at the end of this notice. If we contract with your insurer, health plan or provider, you also have the right to submit a complaint to them. You have the right to submit a complaint to the Secretary of the U.S. Department of Health & Human Services to the extent we are acting as a Business Associate to your insurer, health plan or provider. Be assured that we will not retaliate against you for submitting a complaint.

Permitted Uses and Disclosures
To provide accurate information and services to you, we collect, use and disclose protected health information for a variety of purposes:

  • Payment: We may use or disclose protected health information for payment purposes, including to coordinate benefits with other entities responsible for paying your claims.
  • Health care operations: We may use or disclose protected health information to your insurer, health care provider, pharmacy or health plan to facilitate operations, including assisting in coordination of care, supporting refilling prescriptions, detection or prevention of fraud or abuse. We may not, however, use or disclose genetic information for underwriting purposes.
  • Business associates: Occasionally, we contract with vendors and other business associates to assist us, and your health plan to perform insurance-related functions. We may disclose protected health information to these business associates in order to allow them to perform these functions. They also may collect, use or disclose protected health information on our behalf. We contractually obligate our business associates and they are required by law to provide the same privacy protections that we provide.
  • Insurer, health plan, or provider: If you are enrolled in an employer-sponsored group health plan (or a group health plan sponsored by another entity), we may disclose protected health information to the group health plan or plan sponsor to report our activities. When we provide your personal information to your group health plan or other plan sponsors we comply with the required safeguards to protect your information.
  • Legal proceedings: We may disclose protected health information in the course of a judicial or administrative proceeding, and in response to a court order, subpoena, discovery request, or other lawful process.
  • Law enforcement: We may disclose protected health information to law enforcement officials in response to an administrative subpoena, a warrant, or an administrative request intended to identify or locate a suspect, victim or witness. We also may disclose protected health information for the purpose of reporting a crime on our premises.
  • Military and national security: We may disclose protected health information to armed forces personnel for military activities and to authorized federal officials for national security and intelligence activities.
  • Correctional institution: If you are an inmate, we may disclose protected health information to your correctional institution for treatment purposes or to ensure the safety of yourself and others.

You may give us written authorization to use protected health information or disclose protected health information about yourself to anyone for any purpose. An authorization remains valid for two years unless the authorization states otherwise or you revoke it. You may revoke an authorization at any time by submitting a written revocation (see Contacting us, below), but a revocation will not affect any use or disclosure permitted by the authorization while it was in effect. An authorization is required for us to use or disclose your protected health information for purposes other than those described in this notice. In particular, we need your written authorization to use or disclose psychotherapy notes, except in limited circumstances such as when the disclosure is required by law. We also must obtain your written authorization to sell information about you to a third party or when we receive financial compensation to use or disclose your protected health information to send you communications about products and services.

Contacting Us
Please feel free to contact at 844-633-7288 with any questions or concerns. For more information about this notice or to file a written privacy-related complaint, you may please write to: Privacy Official, MedSavvy, Cambia Health Solutions, P.O. Box 1071, MS E12B, Portland, OR 97207.

The Site is not directed at children under the age of 13. MedSavvy complies with the Children’s Online Privacy Protection Act and does not knowingly permit registration or submission of personally identifiable information by anyone younger than 13 years of age. 4


Individuals who reside in the state of California, a “consumer,” as that term is defined under California law, have additional rights reserved under the California Consumer Privacy Act (CCPA) and the California Shine the Light law:

  • Right to Opt-Out. We do not sell personal information.
  • Right to Request Personal Information. As a consumer, you have the “right to know” and request that we disclose what personal information we collect, use, and disclose. See the instructions below for submitting a verifiable request, including through the online request form offered by us. You have the right to request the categories of personal information, as detailed under the CCPA, we have collected and store about you. In addition, you have the right to request categories of sources of personal information we collected about you, the business or commercial purpose for collecting, the categories of third parties with whom we share that personal information, and the specific pieces of personal information we have collected about you. Categories of personal information that we disclosed about you for a business purpose may also be requested, with the appropriate lists provided under the CCPA. Upon receipt of a verifiable consumer request, described below in this Privacy Statement/Notice, from you to access personal information, we will promptly take steps to disclose and deliver, free of charge to you, the personal information required by this section and within the timeframes permitted for responding to exercise of this or other applicable right(s). The information may be delivered by mail or electronically, dependent on portability and technical considerations under the CCPA. We may provide personal information to you at any time following a verified request, but shall not be required to provide personal information to you more than twice in a 12-month period.  
  • Right to Delete Personal Information. You have the right to request we delete personal information we, or our service providers, store about you. Please keep in mind our response to such a request, upon verification, may include an explanation of the business purpose under which we may retain your information (for example, we would need to retain copies of a business transaction for financial records) in accordance with the CCPA. 
  • Non-Discrimination. If you elect to exercise any right(s) under this section of our Privacy Statement, we will not discriminate or retaliate against you.

If you are a California consumer and would like to submit a request based on this section of our Privacy Statement, please use this web form, email us at, or call us toll-free at 844-633-7288. Also, be sure to check this policy for updates as we will review it at least every 12 months and make updates as necessary.

Identity Verification Requirement.  We are required by law to verify that any data access request submitted under the authority of the CCPA was made by someone with the legal right to access the personal information requested. Therefore, prior to accessing or divulging any information pursuant to a data subject access request, under the terms of the CCPA, we may request that you provide us with additional information in order for us to verify your identity, your request, and legal authority (ex. authorized representative). Only you, or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child. Please indicate in your request if either of these apply, as additional verification may apply (ex. verify consumer’s identify and confirm with impacted person(s) that the authorized agent has permission to submit the request).

A verifiable consumer request must provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative. A verifiable request must also include sufficient detail that allows us to properly understand, evaluate, and respond to it. 

In general, our verification process includes reviewing the information submitted in the request, comparing it to the right(s) requested; the number of verification points/methods required by the CCPA; and the type, sensitivity, and risk of information requested, including to the consumer, from unauthorized disclosure or deletion. An account is not required with us in order to make a request. We will use personal information provided in a verifiable consumer request to verify the requestor's identity and authority to make the request, or otherwise as permitted by the CCPA (ex. record retention). We will respond to a verifiable consumer request within 45 days of its receipt, and if we require more time (up to 90 total days), we will inform you of the reason of the extension in writing. A response to a consumer request will be provided as required by the CCPA, such as through an account (if one exists), or otherwise by mail or electronically. 

Access Request Responses.  Under the CCPA, there may be certain circumstances where we would deny your request to access, receive, or delete personal information we hold.  For example, we would deny requests where any such access or disclosure would interfere with our regulatory or legal obligations, where we cannot verify your identity, and/or where exemptions/exceptions permitted by the CCPA apply. We also have the ability under the CCPA to deny requests if it would result in our disproportionate cost or effort. Further, certain rights granted by the CCPA will not be effective until January 1, 2021. However, even where we will not substantively complete a request made under the CCPA, we will still provide a response and explanation to your request within a reasonable time frame and as required by law.

Disclosure of Categories. As defined by the CCPA, categories of personal information collected from consumers by us within the past 12 months include: 


Personal information may also be collected in the course of a natural person acting as a current or former job applicant, employee, director, officer, or contractor within the context of that natural person’s role. Additional information collected may include emergency contact and information to administer benefits, including to another person.

“Personal information” does not include publicly available information, meaning information that is lawfully made available from federal, state, or local government records. “Publicly available” does not mean biometric information collected by a business about a consumer without the consumer’s knowledge. “Personal information” also does not include consumer information that is deidentified or aggregate consumer information. This Notice addresses online and offline practices by us. Information excluded from the CCPA’s scope includes health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Other information excluded includes those covered by the California Confidentiality of Medical Information Act (CMIA) or clinical trial data, and personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver’s Privacy Protection Act of 1994. 

Personal information is collected and may be used to provide the services to you, to perform obligations under agreements, to provide information and notifications to you or an authorized representative, to protect the rights and safety of you and/or others, to comply with court and other legal requirements, for business purposes and as otherwise set forth in the CCPA, to conduct organizational and operational needs, and as otherwise described when collecting personal information or within this page. A request for personal information collected and/or deletion, noted above, may involve categories and/or specific pieces of information. However, certain exemptions and exceptions may apply in responding to a request. 

This business has not sold categories of personal information within the meaning of the CCPA, including minors under 16 years of age. 

Categories of personal information from our consumers disclosed for a business purpose within the past 12 months include:

(A) Identifiers such as real name, alias, postal address, unique identifiers, online identifiers, internet protocol address, email address, account name, social security number, driver’s license number, passport number, or similar identifiers;

(B) Categories of personal information as described in California Civil Code 1798.80(e);

(C) Characteristics of protected classifications under California or federal law;

(D) Commercial information, including records of personal property, products or services purchased, obtain, or considered, or other purchasing or consuming histories or tendencies;

(E) Biometric information;

(F) Internet or other electronic network activity information, including but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website, application, or advertisement;

(G) Geolocation data;

(I) Professional or employment-related information;

(K) Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

Business purposes may include auditing (ex. auditing and legal/regulatory compliance), security (ex. detecting security breaches), debugging (ex. identifying and fixing technical errors), short-term uses (ex. ad customization), performing services (ex. processing transactions), internal research (ex. product development), and testing/improvement (ex. improvement of technology). 

Categories of sources from which personal information was directly and indirectly collected in the past 12 months include from you and/or authorized agents (ex. documents provided to us related to the services for which you/they engage us, and information we collect in the course of providing services to you/them); interaction with our platforms and services (ex. website portal); and third parties (ex. those that provide services such as purchased information, advertising networks, internet service providers, operating systems and platforms, social networks, and data brokers). This could include information obtained on websites and services from third parties that interact with us in connection with the services we perform or are linked to. 

Categories of third parties with whom the business shared personal information in the past 12 months include authorized agents, affiliates, service providers (such as those described previously), contractors, and authorized third parties.

Contact Us. 

To make a request please contact us at please contact the us at with “CCPA Personal Information Request” in the subject line, and provide us with full details in relation to your request, including your contact information, the specific name of this business, and any other detail you feel is relevant. You can also use the other contact methods mentioned previously.

If you are from another area (ex. state) and believe you are entitled to exercise applicable right(s), please use the email address and/or phone number given and include relevant details. If you have questions or concerns about the business’s privacy policies and practices, you can use the contact methods mentioned above (ex. email) in this Notice to contact us. 

Last Updated: June 22, 2020

Blog Category