Consumer Health Data Privacy Policy

1. Scope and Applicability

This Consumer Health Data Privacy Policy ("Health Data Policy") applies to the collection, use, sharing, and storage of "consumer health data" as defined by applicable state consumer health data privacy laws. This policy applies to individuals who are residents of states with such laws, including Washington, Nevada, and Connecticut.

"Consumer health data" under these laws broadly includes information that identifies or is reasonably linkable to a consumer and relates to the consumer's physical or mental health. This may include health conditions, diagnostic information, treatment records, health insurance information, and other health-related data.

Note: To the extent that health data is governed by HIPAA as Protected Health Information (PHI) processed under a Business Associate Agreement, HIPAA requirements prevail and this policy serves as supplementary disclosure.

2. Categories of Consumer Health Data We Collect

In the course of providing our eligibility automation services, Rendum may collect or process the following categories of consumer health data:

• Health Insurance Information: Medicare Advantage plan identifiers, payer names, enrollment effective dates, termination dates, coverage types, and member identification numbers.
• Eligibility Data: Information about a consumer's enrollment status in supplemental benefit programs, including benefit types (meal delivery, transportation, PERS, pest control, etc.) and service authorization periods.
• Demographic Information Linked to Health Data: Name, date of birth, address, and contact information when associated with health insurance or eligibility records.
• Billing Records: Billable day calculations, invoice records, and payment status associated with a consumer's supplemental benefit enrollment.

Rendum does not collect clinical data, treatment records, diagnoses, prescription information, biometric data, genetic data, or data from consumer health devices.

3. Sources of Consumer Health Data

We receive consumer health data from the following sources:

• Our Customers (Covered Entities): Supplemental benefit vendors who upload eligibility rosters, enrollment files, and member data to our platform for billing processing.
• Payer Files: Eligibility and enrollment files received from Medicare Advantage payers on behalf of our customers.

We do not collect consumer health data directly from consumers. All health data is received through our B2B customer relationships.

4. Purposes for Collecting and Using Consumer Health Data

We collect and use consumer health data solely for the following purposes:

• Eligibility Automation: Processing eligibility verification, calculating billable days, and delivering rendumized rosters for supplemental benefit services.
• Data Normalization: Transforming payer-specific data formats into standardized formats for consistent eligibility processing.
• Audit and Compliance: Maintaining audit trails required for healthcare eligibility compliance and regulatory requirements.
• Service Improvement: Analyzing aggregate, de-identified data to improve our eligibility algorithms and platform performance.
• Customer Support: Assisting our customers with eligibility inquiries, data discrepancies, and technical issues.

We do not use consumer health data for advertising, marketing, discriminatory purposes, or any purpose unrelated to providing our eligibility automation services.

5. Sharing of Consumer Health Data

We may share consumer health data with the following categories of recipients:

• Infrastructure Providers: Microsoft Azure for cloud hosting, compute, and storage services. Azure processes data under our instructions and has executed a BAA with Rendum.
• Our Customers: We return processed billing data to the customer who originally provided the consumer health data.
• Legal Requirements: When required by law, subpoena, court order, or government regulation.

We do not sell consumer health data. We do not share consumer health data with data brokers, advertisers, or social media platforms.

6. Consumer Rights

Under applicable state consumer health data privacy laws, consumers may have the following rights:

• Right to Know: The right to confirm whether we are collecting, sharing, or selling consumer health data and to access that data.
• Right to Delete: The right to request deletion of consumer health data, subject to certain exceptions (e.g., data required for ongoing service delivery to our customers or legal obligations).
• Right to Withdraw Consent: The right to withdraw consent for collection and sharing of consumer health data.
• Right to Non-Discrimination: Rendum will not discriminate against any consumer for exercising their privacy rights.

Because Rendum processes consumer health data as a service provider (processor) on behalf of our customers (controllers), consumers should direct access and deletion requests to the supplemental benefit vendor with whom they have a direct relationship. If a consumer contacts Rendum directly, we will direct them to the appropriate customer and cooperate with the customer to fulfill the request.

7. Data Retention and Deletion

Consumer health data is retained for the duration of our service agreement with the customer who provided it, plus a 90-day post-termination period for data export. After the export period, consumer health data is permanently deleted from all production systems within 30 days.

Backup copies containing consumer health data are overwritten through our standard backup rotation cycle within 90 days of deletion from production systems.

8. Data Security

We implement commercially reasonable security measures appropriate for the sensitivity of consumer health data, including:

• AES-256 encryption for data at rest
• TLS 1.2+ encryption for data in transit
• Role-based access controls with multi-factor authentication
• Comprehensive audit logging of all data access
• Annual third-party security audits (SOC 2 Type II)
• Regular vulnerability scanning and penetration testing

9. Geofencing

In compliance with Washington's MHMDA, Rendum does not use geofencing technology to identify or track consumers seeking healthcare services, nor do we collect consumer health data through geofencing around healthcare facilities.

10. Changes to This Policy

We may update this Health Data Policy to reflect changes in applicable laws or our data practices. Material changes will be communicated to our customers via email notification at least 30 days before taking effect. The "Last updated" date at the top of this page indicates the most recent revision.

11. Contact Us

For questions about this Consumer Health Data Privacy Policy or to exercise your rights under applicable state laws:

Rendum, Inc.
Attn: Privacy Team
Email: privacy@rendum.io

Washington residents may also contact the Washington State Attorney General's Office at www.atg.wa.gov/file-complaint.