Patient Advocate Foundation Patient Privacy Policy

Effective Date: November 4, 2024

For a printable version of this Privacy Policy, click here.  

Patient Advocate Foundation (“PAF,” “we,” “us,” or “our”) is committed to protecting your individually identifiable information (“Personal Information”). This Privacy Policy (“Policy”) discloses the privacy practices for PAF and applies solely to information collected by PAF through its websites (including https://www.patientadvocate.org) or services where this Policy is posted (collectively “PAF Programs”), except where stated otherwise. While PAF is not a  “covered entity” or “business associate” under the federal Health Insurance Portability and Accountability Act (HIPAA), we are committed to respecting patient privacy. By using the PAF Programs, you acknowledge you have read and understand this Policy. If you are accessing the PAF Programs in your professional capacity, you agree you have consent of your employer to input information and bind yourself and your employer to the Privacy Policy and Terms of Use. If you do not agree to the Terms of Use and this Privacy Policy, please do not use the PAF Programs. 

For purposes of this Policy, the term “patient” means an individual who receives, or applies (either directly or indirectly through another person acting on that individual’s behalf) to receive, financial or other assistance through PAF’s case management programs, CareLines, and/or financial support programs, including, but not limited to, PAF’s Co-Pay Relief Program.  

Personal Information We May Collect from You

As PAF provides assistance through the PAF Programs, PAF collects from patients certain Personal Information, including: 

• Contact information, such as your mailing address, email address, or phone number.  
• Demographic information, such as age or gender.  
• Health information, which may include “protected health information” or “consumer health data” as those terms are defined under applicable laws. This may include: 
  • Your past, present, or future physical or mental health information, health insurance and other benefit information, and/or electronic personal health records;
  • Health conditions, treatment, diseases, or diagnoses, including reproductive or sexual health care and gender-affirming care;
  • Social, psychological, behavioral, and medical interventions;
  • Surgeries or health-related procedures;
  • Use or purchase of medication;
  • Bodily functions, vital signs, symptoms, or measurements of information regarding a consumer’s physical or mental health status;
  • Genetic data;
  • Precise location information that could reasonably indicate a consumer’s attempt to acquire or receive health care services or supplies;
  • Data that identifies a consumer seeking health care services;
  • Health data derived or extrapolated from non-health information (such as proxy, derivative, inferred, or emergent data derived through an algorithm, machine learning, or any other means); and/or
  • Other categories of Consumer Health Data with your consent.  
• Financial information, such as your income level.  
• Professional or employment information, such as the name of your employer and your employment status.  
• Internet, technical, or other similar network activity, such as your IP address, log files, and web pages visited on our websites or when using PAF Programs.  
• Location information, such as IP address.  
• Education information, such as your high school or college name, acceptance letter, academic transcript, letters of recommendation, and course of study. 
• Communications information, which includes any Personal Information you provide to us. For example, we may collect Personal Information upon completion of service delivery to you through a PAF Program when you are invited to Share Your Story. We also collect your Personal Information when you complete a Satisfaction Evaluation or when you respond to follow-up questions that PAF asks of  patients served by PAF Programs about the services they received both from PAF and from their medical and insurance providers.  
• Audio, video, and similar information, such as video testimonials and photographs.  
• Sensitive Personal Information, such as: consumer health data; social security number, driver’s license number, state identification card, or passport number; information revealing racial or ethnic origin; religious beliefs; sexual orientation; or citizenship or immigration status. Your financial account information along with required information to access your account may be collected on our behalf by a third-party payment processor.   
• Other Personal Information, including any other personal information we may collect from you, such as when we request documentation from patients to demonstrate grants funds are only being used for approved expenses.  
• Inferences drawn from any of the Personal Information described above, in order to create a profile reflecting your preferences, characteristics, predispositions, behaviors, attitudes, intelligence, abilities, or aptitudes.  

For each of the above categories of Personal Information, we may collect that Personal Information either directly from you, from an individual or entity authorized to provide information on your behalf, or indirectly from you via analytics and advertising providers when you interact with social media pages and PAF Programs. 

You have choices about the information we collect. When you are asked to provide Personal Information, you may decline. However, if you choose not to provide information that is necessary to provide our services, you may not be able to use some of our services. Residents of, or individuals located within, Washington or Nevada may also have additional rights relating to their consumer health data, as outlined below.  

Deidentified Data 

Deidentified data is information that cannot be reasonably linked to you, or be used to infer characteristics about you, so this data is no longer considered Personal Information. PAF will only use this information in a deidentified fashion and will not attempt to reidentify such data.  

Collection and Use of Information from Children  

The PAF Programs and PAF’s online services are not intended for use directly by children. We do not specifically or knowingly collect Personal Information directly from children, defined as individuals under the age of 13, and none of our online services are designed to attract children. If we learn that we have collected information from a minor under the age of 13 without parental consent, we take steps to remove that information from our servers. In some instances, we may use that information only to respond directly to that child (or his/her/their parent or legal guardian) to inform the minor that he/she/they cannot use the services. 

 
Why We Collect Information from You  

PAF uses Personal Information collected from patients or their authorized representatives in order to: 

• Provide patient assistance through its case management programs, CareLines, and/or financial support programs. Additional information about how PAF uses your Personal Information can be found in the relevant program disclaimer.  
• Understand what matters to the patients we assist and to evaluate how our services have impacted patients receiving the services, enabling us to serve as an effective voice for change in the health care system. Information on Surveys and Program Evaluations are linked here.  
• Respond to patients and their representatives to resolve issues presented by and/or for patients. 
• Meet our contractual commitments to you.  
• Notify you about any changes to our websites or services that may affect your use of the websites or services.  
• Provide our websites and services and respond to your information requests.  
• Send informational communications about PAF patient programs, educational resources, and upcoming events. 
• Solicit responses and feedback to voluntary patient and caregiver surveys as part of PAF’s ongoing program satisfaction and health services research activities. 
• Undertake internal research for technological development and demonstration, such as to improve our website and services. 
• Comply with applicable law or respond to valid legal process.  
• Help ensure security and integrity to the extent the use of Personal Information is reasonably necessary and proportionate for these purposes. 
• As otherwise permitted by applicable law or with your consent.  

It is the policy of PAF that PAF will use patients’ Personal Information, including Health Information, only as follows: 

• By PAF and its representatives to provide services and support to patients seeking assistance from and enrolled in PAF Programs, including those administered by PAF as a service provider, in order to respond to applications for assistance and/or resolve issues presented by patients seeking assistance from PAF. Representatives may include PAF employees, both permanent and temporary, directors, officers, PAF legal counsel, and contracted third-party service provider organizations; 
• In PAF case management programs as described in the Patient Advocate Foundation Representation Authorization linked here, in accordance with the Patient Advocate Foundation Case Management Program Disclaimer linked here; 
• In PAF CareLine programs and in accordance with the program disclaimer for each program listed and linked here; 
• In accordance with the PAF Co-Pay Relief Program Disclaimer linked here; or 
• In accordance with the PAF Financial Aid Fund Program Disclaimer linked here and for individual financial aid funds listed and linked at the bottom of that same page. 

Parties to Whom We May Disclose Your Information

We may share or disclose your Personal Information to the following categories of third parties and for the following reasons: 

• To third-party service providers, agents, or independent contractors who help us maintain our PAF Programs and provide other administrative services to us, in order to resolve issues presented by the patients or their representatives, to process an application for assistance, to process a claim being made against a financial award that has been provided, as required by a partnering organization, or as required by law. The patient, or the authorized representative, is notified of these disclosure practices via written program disclaimer, as referenced above, that is provided via mail, email, and/or published on our PAF Programs websites. 
• To third-party analytics providers to understand how PAF Programs are being used and to improve or develop PAF Programs.  
• To third parties in the course of any reorganization process or transaction, including, but not limited to, a merger, acquisition, or transfer of all or substantially all of our assets. If transferred in such a case, the purchaser will abide by the terms and conditions of this Policy. 
• To law enforcement, government agencies, and other related third parties, in order to comply with the law, enforce our policies, or protect our or others’ rights, property, or safety. 
• To third parties where necessary to assist in fraud protection and to minimize credit risk.  

If you participate in a survey, your survey responses are aggregated and deidentified and may be included in publicly available reports. However, no Personal Information is shared publicly with such reports. 

Information Ownership and Sharing

PAF is the sole owner of the Personal Information collected through PAF Programs, except in certain programs where PAF serves as an administrator for another organization’s program, or in partnership with another organization to deliver a program. Where PAF serves as an administrator for another organization’s program, or in partnership with another organization, your Personal Information is also subject to that third party’s privacy policy. PAF collects information that patients voluntarily provide or that is given to us by patients’ authorized representatives and providers, including, but not limited to, family members, caregivers, guardians, medical providers, pharmacies, health care facilities, diagnostic laboratories, medical equipment providers, health and welfare benefit plans, insurance companies, benefit administrators, and employers. 
 
Notice Regarding Public Posting Areas

Please note that any information you include in a message you post to any chat room, forum, or other public posting area (such as on our social media pages) is available to anyone with Internet access. If you do not want people to know your email address, for example, do not include it in any message you post publicly. PLEASE BE EXTREMELY CAREFUL WHEN DISCLOSING ANY INFORMATION IN CHAT ROOMS, FORUMS, AND OTHER PUBLIC POSTING AREAS. WE ARE NOT RESPONSIBLE FOR THE USE BY OTHERS OF THE INFORMATION YOU DISCLOSE IN PUBLIC FORUMS, AND OTHER PUBLIC POSTING AREAS. 

You may also be invited to participate in our “Share Your Story” program. By participating in that program, your Personal Information will be publicly shared to demonstrate program impact for patients and their families. This is a voluntary opportunity offered to select patients and has no bearing on delivery of services to a patient through PAF Programs. Only stories and Personal Information of patients who have provided authorization to PAF are shared publicly.  

Cookies

Like many websites, we use online tracking technologies and code-based tools, including, but not limited to, Software Development Kits (“SDKs”), pixels, web beacons, and cookies (i.e., analytics cookies) that track information about your activity and webpage-viewing history on PAF Programs (collectively, “Tracking Tools”) to see which web pages are visited and how often, to improve our service, to make our service more user friendly, and to give you a better experience when you return to the PAF Programs. The personal information collected through our use of Tracking Tools may include any of the categories of personal information outlined in the “Personal Information We May Collect from You” section above. 

In particular, we use Google Analytics to measure how you interact with our websites. To learn more about Google Analytics’ privacy practices and opt-out mechanisms, please visit the Google Analytics Security and Privacy Principles page at https://support.google.com/analytics/answer/6004245?hl=en. Google also provides a complete privacy policy and instructions on opting out of Google Analytics at https://tools.google.com/dlpage/gaoptout. 

Most browsers accept Tracking Tools automatically but allow you to disable them. Please check your browser and browser settings to determine where these Tracking Tools are stored and whether and how they may be deleted. Please visit their website here to learn more and to opt out, if desired. In any event, if you reject our Tracking Tools, you may still use the PAF Programs, but you may be limited in some of the features. 

How We Respond to Do-Not-Track Signals

At this time, our websites do not recognize automated browser signals regarding tracking mechanisms, which may include “Do Not Track” instructions. 

​​ 

​Disclaimer Regarding Video Content 

​​PAF websites may contain video content, audiovisual content, or content of a like nature (collectively, “Video Content”).  In connection with our provision of Video Content, PAF Programs may utilize Tracking Tools on the websites, which may result in information about your activity on the websites being transmitted from your browser to PAF and third parties, which, in turn, may result in the display of targeted advertisements on third-party websites, platforms​, and services, including advertisements for PAF content.  In addition, whether Tracking Tools on the Websites result in your browser’s transmission of information to third parties depends on a number of factors that may be outside of PAF’s knowledge or control, including what third-party websites you use, what information you have provided to such third parties, and whether (and the extent to which) you have limited the use of cookies by the operators of those third-party websites, platforms, and services.  
 

Our Use of Chat Features 

PAF websites may use third-party chat features for support purposes. These features may collect the content of your communications and other Personal Information you provide while interacting with the chat feature. Please discontinue use of the PAF websites if you do not consent to the collection of such information by us and third parties.  
 

Third-Party Links and Social Media Plugins  You might find links to third-party websites within our PAF Programs. These third-party websites should have their own privacy policies, which you should review. We do not accept any responsibility or liability for their policies whatsoever, as we have no control over them. 

Our PAF Programs use the following social media plug-ins: Facebook, YouTube, Instagram, and LinkedIn. The plug-ins can be identified by the social media buttons marked with the logo of the provider of the respective social media networks. We have implemented these plug-ins using a 2-click solution, which means that when you use our websites, your Personal Information will not initially be collected by the providers of these social media plug-ins. Only if you click on one of the plug-ins will your Personal Information be transmitted. By activating the plug-in, your Personal Information is automatically transmitted to and stored by the respective plug-in provider. We neither have influence over the Information collected and processing operations conducted by these providers, nor are we aware of the full extent of Personal Information collection, purposes, or the retention periods. Further details on the purpose and scope of information collection and its processing by the plug-in provider can be found in the respective privacy policies of these providers, where you will also find further details on your rights and options for privacy protection: 

• Facebook Inc.: https://www.facebook.com/privacy/explanation. 
• Google LLC: https://policies.google.com/privacy. 
• Instagram:  https://help.instagram.com/519522125107875 
• LinkedIn Corp.: https://www.linkedin.com/legal/privacy-policy 

 
Media Release Form

Certain patients may be contacted by PAF about participating in public appearances, media interviews, and other outreach activities. These voluntary activities have no bearing on delivery of services to patients through PAF Programs. Before participating in such activities, selected patients must complete a media release form. Only patients who have provided authorization to PAF to share their Personal Information publicly will be engaged in such media events and opportunities. 

Security

The security of your Personal Information is of great importance to PAF. Accordingly, we implement reasonable security measures to protect your Personal Information. PAF maintains electronic Personal Information in secure, cloud-based systems and securely transfers data through encryption.  Access to Personal Information is managed through permissions-based profiles and is limited to only PAF roles that need access to complete specified job functions.  Volunteers do not have access to systems containing your Personal Information.  PAF does not rent or sell your Personal Information at any time.  

Please understand, however, that no data transmissions over the Internet can be guaranteed to be 100% secure. Consequently, we cannot ensure or warrant the security of any information you transmit to us. You understand that any information that you transfer to us is done at your own risk. If we learn of a security systems breach, we may attempt to notify you electronically so that you can take appropriate protective steps. We may also post a notice via our PAF website if a security breach occurs. We may also send an email to you at the email address you have provided to us in these circumstances. Depending on where you live, you may have a legal right to receive notice of a security breach in writing. 
 
International Data Transfers 
We are based in the US. If you choose to provide us with your Personal Information, you understand that your Personal Information may be transferred to the US and that we may transfer that information to third parties, across borders, and from your country or jurisdiction to other countries or jurisdictions around the world. If you are visiting from the EU or other regions with laws governing data collection and use that may differ from US law, you understand that you are transferring your Personal Information to the US and other jurisdictions which may not have the same data protection laws as the EU. We put in place appropriate operational, procedural, and technical measures to ensure the protection of your Personal Information, such as standard contractual clauses. You understand that by providing your Personal Information: (i) your information will be used for the uses identified above in accordance with this Policy; and (ii) your information may be transferred to the US and other jurisdictions as indicated above, in accordance with applicable law. 
 

Retention of Your Information

We retain Personal Information for as long as we have a legitimate business need to do so or as allowed under applicable law, such as for the duration outlined in our documentation retention and destruction policy or to comply with applicable legal, tax, or accounting requirements. 

 
Access and Updates to Your Information

Patients may request a printed copy of their Personal Information that is electronically stored at PAF and/or provide updates to their Personal Information by contacting us via email privacy@patientadvocate.org, by calling 757-952-0589, or by writing to Patient Advocate Foundation, Attn: Patient Privacy, 421 Butler Farm Rd, Hampton, VA 23666. PAF retains patient records according to its data retention policy, so PAF does not delete entire patient records that are electronically stored upon request. 

Rights Regarding Consumer Health Data  

If you are a resident of or individual whose consumer health data was collected within Washington or Nevada, you have the following rights:  

• The right to know if PAF is collecting, sharing, or selling your consumer health data. 
• The right to receive (or “access”) a list of all third parties and affiliates with whom PAF has shared or sold your consumer health data and to receive a copy of any written authorization for any sale of consumer health data. 
• The right to request deletion of your consumer health data. 
• The right to withdraw consent/authorization and request that PAF cease collecting, sharing, or selling your consumer health data. 
• The right to appeal PAF’s refusal to take action on a request. 

 
California Privacy Rights 
California’s “Shine the Light Law” (Civil Code Section 1798.83) permits users of PAF Programs who are California residents to request certain information regarding our disclosure of Personal Information to third parties for their direct marketing purposes. However, please note that we do not share Personal Information with third parties for their direct marketing purposes. 

How to Opt Out of Future Contacts

You may opt out of any future contacts from PAF at any time. However, doing so may impact your participation in PAF Programs. To do so, contact us by one of the methods described below. 
 
How to Obtain a Printed Copy of This Policy

To request a printed copy of this policy, any PAF authorization form, or any PAF program disclaimer, contact us by one of the methods described below. 

How to Contact Us

We welcome any questions, comments, or requests you may have regarding this Policy or your rights under this Policy. You may contact PAF by any one of the following methods: 

• By emailing privacy@patientadvocate.org  
• By calling 757-952-0589 
• By writing to Patient Advocate Foundation, Attn: Patient Privacy, 421 Butler Farm Road, Hampton, VA 23666. 

For patients with concerns about PAF’s use of Personal Information, or for any questions about our information practices, please first contact the PAF employee with whom the patient is communicating and/or working for assistance. 

Notification of Privacy Policy Changes

The current PAF Privacy Policy is posted at www.patientadvocate.org/patient-privacy. We reserve the right to modify this Policy at any time. When we do so, we will update the “Effective Date” above. You will be notified of any material changes to this Policy via a posting on PAF websites or as required under applicable law.