Microsoft HealthVault Account Privacy Statement
(Last updated: August 2014)
Microsoft is committed to protecting your privacy. This privacy statement applies to the data collected by Microsoft through the Microsoft HealthVault Account (the "Service"). It does not apply to data collected by other online or offline Microsoft sites, products, or services.
The Service is a personal health platform that lets you gather, edit, add to, store, and share health information online. With the Service, you can control your own health records. You can also share your health information with family, friends, health care professionals, mobile phone applications, health-related devices, and online tools.
You can store health information for other people (such as your family) in one HealthVault account. You should store and access each person's information in separate health records within your account.
You can choose to share information with separate programs and systems that can connect with the Service ("Programs") to use, edit and add to your health record. Programs can help you manage your information and find relevant health information.
You can choose to share specific information (or all information) with:
- other people (such as friends and family)
- Programs (such as Programs that add data to your health records, provide information to your healthcare provider, or use some of your health records to provide information to you about managing your health)
Collection of your personal information
The Service asks you to enter an identifier and password to sign in. You can use Microsoft account credentials, and sign-in credentials from certain other providers. Microsoft does not endorse or provide any credential other than the Microsoft account. Before you choose to use non-Microsoft sign-in credentials with the Service, we recommend that you evaluate the security and privacy commitments offered by the issuer and decide if they are appropriate for your HealthVault account. We recommend having more than one sign-in credential for your account, to help ensure you can access your data if you lose one of them.
Microsoft account (formerly known as Windows Live ID and Microsoft Passport) is a service that allows you to sign into Microsoft products, web sites and services, as well as those of select Microsoft partners. If you don't already have a Microsoft account, you can create one to open your HealthVault account. The HealthVault signup pages will send you to the Microsoft account system to create a username and password.
To view additional details about Microsoft account, including how to use a Microsoft account, how to edit account information, and how we collect and use information relating to a Microsoft account, please read the Microsoft account details at. http://go.microsoft.com/?linkid=9838024.
The first time you sign in to the Service, the Service asks you to create a HealthVault account. To create a HealthVault account, you must provide personal information such as name, date of birth, e-mail address, postal code and country/region. Depending on which features you use, you may be asked for additional information for that feature (such as creating an emergency profile or fitness goal).
We will use the e-mail address you provide when you create your HealthVault account to send you an e-mail requesting that you validate your email address, to include in sharing invitations you send through the Service, and to send you Service notifications, such as e-mail notification that information is available to add to your HealthVault records. As described in their privacy statements, Programs you authorize may also use your e-mail address.
A HealthVault account allows you to manage one or more health records, such as the ones you create for yourself and your family members. You choose what information to put in your records. Examples of the types of information you can store in a record include:
- fitness-related activities such as aerobic sessions
- measurements such as blood glucose and blood pressure
- discharge summaries from hospitalizations
- lab results
- health history
You can use Programs to enter a wide range of health information into a record. You can give Programs permission to view, add, modify, and/or delete information in a record. Some Programs store their own copy of the information they access. The Service provides links to each Program's privacy statements at the time the Service asks you to authorize the Program's access. Please read those for information such as where and how the Program may use, store and transfer your information; what additional information it may collect; how you can review, edit and delete the information it holds; and other choices you may have. You can also store files, and can add or edit some information directly when logged into your Service account.
Other information we collect
To help operate and improve the service, we also collect information about how you interact with our services, including the browser you're using, your IP address, location, cookies or other unique IDs, the pages you visit and features you use. We combine this with other users' information to get an overall view of how the service is used.
Sharing your personal information
By default, you are the custodian of any records you create. You may invite additional people to be custodians. Each custodian can add and remove other custodians and users who can view and modify the record. Some of the information stored in the records you manage may be highly sensitive, so you need to consider carefully with whom you choose to share the information. A record may have multiple custodians.
A key value of the Service is the ability to share your health information with people and services who can help you meet your health-related goals. For example, you can share health information from records you control:
- to co-manage the health of a family member
- to use it with other health-related products and services
- to consult with your health care provider
- to provide fitness information to coaches and trainers
You can share information in a health record you are custodian of with another person by sending a sharing invitation e-mail through the Service. If the person accepts your sharing invitation and has or creates a Service account, you have given him or her access to that information. You can specify how long they have access (custodian access does not expire but, like all sharing access, it can be revoked at any time) and whether they can modify the information in the record. Each person who accepts a sharing invitation can grant Programs the same level of access that the person has.
You can also choose to grant custodian access to other persons, such as your spouse, for any record of which you are a custodian. Custodian access is the broadest level of access, so you should think carefully before you grant custodian access to a record. Every custodian of a record has the same access to the record, including accessing, modifying, deleting, and sharing all the information in the record. A custodian can also revoke access to a record from any other custodian of the record, including you.
You can also share personal information and health information with Programs. You decide which Programs you want to use. You must approve (or deny) the Program's access. The access request will include (a) the type of information the Program will access, (b) generally what the Program wants to do with the information (view, add, modify), and (c) links to more detailed information from the Program about its legal terms and privacy practices. You can find some Programs listed at HealthVault.com and you can access Programs directly through their own Web sites. A user who has the appropriate level of access must affirmatively authorize a Program's access to any health record in your account. Microsoft requires Program providers to agree to provide accurate information about their privacy practices and comply with applicable laws. However, except for restricting the access they have to your HealthVault data we do not control or monitor the practices of those Programs, and their privacy practices will vary. You can read the Program's privacy statement for more information. You can freely grant and revoke a Program's access to the records stored in the Service. The access you grant a Program through the Service is valid until you revoke that access.
Service users with whom you have shared your records can also give a Program access to those records. You can see a complete history of how Programs have accessed the information in your records by using the History feature in the record.
Anyone (including someone who is not a custodian) who has access to a record can create and print a wallet card that contains a summary of the emergency profile information they have access to, and can create an access code. If an access code is created, it will be on the wallet card. Anyone who knows the access code can use it at our web site to view the emergency profile information stored on the record. Service users should protect wallet cards and access codes to guard against inappropriate use. Each time an access code is used at our web site to view the emergency profile information stored on a record, we will log it in the record history and we will notify by email the record user who created the access code, but we will not know who used the access code. Whoever has the access code can use it, and may pass it along to others who can also use it, until the access code is cancelled. Only the user who created the access code can cancel that access code. The record user can cancel the access code by signing into the Service and following the instructions. You can see a history of the creation and cancellation of access codes in the record history.
In the U.S., we enable participating providers to obtain reports about whether the information they send to a record is used. This feature supports the U.S. "meaningful use" objective of the HITECH Act, which provides incentives for health care providers to send their patients copies of their medical information electronically. Providers that participate can get reports that include:
- A number that the provider uses to identify the patient within the provider's system
- An indication if the user took one of the "qualifying actions" in HealthVault during the time period of the report (but no information about what action)
"Qualifying action" currently includes activities such as viewing, downloading, or transmitting health information via email in HealthVault. You can turn off reporting for your records. You can learn more about meaningful use at http://www.healthit.gov.
How we use your personal information
We use personal information collected through the Service, including health information, to provide the Service, and as described in this privacy statement. We do not use or disclose your information except as described in this privacy statement.
In support of these uses, Microsoft may use personal information:
- to provide you with important information about the Service, including critical updates and notifications
- to send you the HealthVault e-mail newsletter if you opt-in
- to determine your age and location to help determine whether you qualify for an account or for service features such as which language version or Program directory to display
- for "meaningful use" reporting to participating providers (see Sharing your personal information)
Microsoft occasionally hires other companies to provide limited services on our behalf, such as answering customer questions about products and services. We give those companies only the personal information they need to deliver the service, such as IP address or e-mail address. Microsoft requires the companies to maintain the confidentiality of the information and prohibits them from using the information for any other purpose.
Microsoft may access and/or disclose your personal information if we believe such action is necessary to: (a) comply with the law or respond to legal process served on Microsoft; or (b) protect the rights or property of Microsoft (including the enforcement of our agreements).
Personal and health information stored in the Service may be processed in the United States or any other country in which Microsoft or its affiliates, subsidiaries or service providers maintain facilities. If you sign up using a residence address that's located in the European Economic Area, we store the health records you create in the European Union. Microsoft abides by the safe harbor framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of data from the European Economic Area, and Switzerland.
How we use aggregate information and statistics
Microsoft may use aggregated information from the Service to improve the quality of the Service and for marketing of the Service (for example, to tell potential advertisers how many Service users live in the United States). This aggregated information is not associated with any individual account. Microsoft does not use your individual HealthVault account and record information from the Service for marketing without Microsoft first asking for and receiving your opt-in consent.
Service access and controls
You choose whether to create an account with the Service. The required HealthVault account information consists of a small amount of information such as your name, e-mail address, region, and Service credentials. We may request other optional information, but we clearly indicate that such information is optional. You can review and update your account information. You can modify, add, or delete any optional HealthVault account information by signing into the Service and editing your account profile.
You can close your HealthVault account at any time by signing into the Service and editing your account profile. We wait 90 days before permanently deleting your HealthVault account information in order to help avoid accidental or malicious removal of your health information.
When you close your HealthVault account, the Service deletes all records for which you are the sole custodian. If you share custodian access for a record, you can decide whether to delete the record from the Service. You should think carefully before you grant custodian access to your records.
If you close your Microsoft account or lose your account credentials, you may not be able to regain access to your Service information. You can use more than one credential with your account, to help ensure continued access. For more information about Microsoft account credentials, please read the Microsoft account details at www.microsoft.com/privacystatement.
Record access and controls
The Service allows an account to contain multiple health records. This feature enables, for example, family health managers to create and manage records for family members.
When you create a record, you become a custodian of that record. As a custodian, you decide what level of access to grant other users of the Service or Programs. The Service creates a fixed list of each access or change by Programs and users, which the Service keeps as a full history of the record. You can view and update records you are custodian of and can examine the history of access and changes to those records.
Sharing records with other Service users
The level of access you can grant as a custodian include:
- View-only access (time-limited access)
- View-and-modify access (time-limited access)
- Custodian access (no time limit)
Access becomes active only when the recipient accepts the invitation.
Custodian access is the highest level of access. A custodian of a health record can:
- Read the record
- Change the record
- Delete the record
- Grant to others any level of access to the record, including custodian access
- Revoke the access of anyone to a record, including other custodians, and including the custodian who granted them custodian access in the first place
Because inappropriate granting of access could allow a grantee to violate your privacy or even revoke your access to your own records, we urge you to consider all the consequences carefully before you grant access to your records.
When you grant someone non-custodian access, that person can grant the same level of access to Programs (for example, someone with view-only access can grant a Program view-only access).
As explained in the section titled "Sharing your personal health information" above, a custodian (or anyone who has access to a record) can create access codes that can be used by anyone to get view-only access at our web site to emergency profile information stored in the record, until the access code is cancelled by the record user who created the access code.
Sharing records with programs through the Service
In order to access the Service, the Program provider must agree to provide accurate information about its privacy practices and comply with applicable laws. Microsoft can revoke a Program provider's access to the Service if a Program does not meet its privacy commitments to Microsoft. However, except for restricting the access they have to your HealthVault data, we do not control or monitor those Programs, and their privacy practices will vary. We encourage you to contact us if you believe a Program is not protecting the privacy or security of your health data.
No Program has access to your information through the Service unless and until an authorized user opts in through the Service to grant it access. You control what health information you allow Programs to access and the length of time they can access the information in the record. If a Program requires information you are uncomfortable sharing, you can choose not to authorize that Program access to the record. A Program you authorize for a record will get the full name associated with your HealthVault account, the nickname of the authorized record(s), and your relationship to that record. The Service allows you to control (by accepting or denying Program requests for access) which health information types in a specific health record you choose to share with each Program and what actions you allow each Program to perform on the health information.
Certain providers can get reports about whether information they send to a record is used (see description of "meaningful use" reporting under Sharing your personal information). Custodians can turn reporting off for any of their records.
You can delete any health record that you are a custodian of by signing in to your HealthVault account and editing a record's profile. If other users had any level of access to that record, the record no longer appears in their accounts. The Service deletes the record from all users. We wait 90 days before permanently deleting the record information in order to help avoid accidental or malicious removal of your health information.
Deleting health information
When a Program or person moves a piece of health information to the trash, custodians may still view it there, and can restore it or delete it permanently from there at any time. Please note that Programs and non-custodial persons with whom you have shared your information are not able to see or restore items in the trash, nor may they permanently delete health information.
Permanently deleting health information removes it from the trash. Once someone permanently deletes an item, we cannot restore it. The Service adds an entry in your record history noting the name of the person who permanently deleted information and the date the deletion occurred.
In the U.S., the service assigns each record an email address. Email messages received are automatically added to the HealthVault record, and an email is sent to custodians' contact address to notify them that a message has been received in HealthVault. Attachments are automatically added to the record, unless the custodian changes the record's settings to require that attachments be manually added. The email service in HealthVault uses "Direct," a protocol designed specifically to communicate with health care providers. For that reason, HealthVault email can only be sent and received with providers that use a system that's set up to do that. Custodians can add or disable record email addresses.
To keep you informed of the latest improvements, the Service may send you a newsletter. You can choose whether to receive newsletters when you sign up for the Service, or unsubscribe at any time.
The service will periodically send you an email summarizing recent account activity. If you do not want to receive these emails, you can unsubscribe at any time
Security of your personal information
Microsoft is committed to protecting the security of your personal information. We use a variety of security technologies and procedures to help protect your personal information from unauthorized access, use, and disclosure. For example, we store the personal information you provide on computer servers with limited access that are located in controlled facilities.
- The Service sends all communications (except e-mail sent outside of HealthVault Message Center) using encryption.
- You can view a history of access and actions to any Health Record of which you are a custodian.
One of the primary purposes of cookies is to provide a convenience feature to save you time. For example, if you personalize a Web page, or navigate within a site, a cookie helps the site to recall your specific information on subsequent visits. Using cookies simplifies the process of delivering relevant content, eases site navigation, and so on. When you return to the Web site, you can retrieve the information you previously provided, so you can easily use the site's features that you customized.
You have the ability to accept or decline cookies. Most Web browsers automatically accept cookies, but you can usually modify your browser setting to decline some or all cookies if you prefer. If you choose to decline all cookies, you may not be able to use interactive features of this or other Web sites that depend on cookies.
Use of Web beacons
Microsoft Web pages may contain electronic images known as Web beacons sometimes called single-pixel gifs that may be used:
- to assist in delivering cookies on our sites
- to enable us to count users who have visited those pages
- to deliver co-branded services
We may include Web beacons in promotional e-mail messages or in our newsletters in order to determine whether you opened or acted upon those messages.
Microsoft may also employ Web beacons from third parties to help us compile aggregated statistics and determine the effectiveness of our promotional campaigns. We prohibit third parties from using Web beacons on our sites to collect or access your personal information. We may collect information about your visit to account.HealthVault.com, including the pages you view, the links you click, and other actions taken in connection with the Service. We also collect certain standard, non-personally identifiable information that your browser sends to every Web site you visit, such as your IP address, browser type and language, access times, and referring Web site addresses.
Changes to this privacy statement
We may occasionally update this privacy statement. When we do, we will also revise the "last updated" date at the top of the privacy statement. For material changes to this privacy statement, we will notify you either by placing a prominent notice on the home page of the HealthVault Web site or by sending you a notification directly. We encourage you to review this privacy statement periodically to stay informed about how we are helping to protect the personal information we collect. Your continued use of the Service constitutes your agreement to this privacy statement and any updates. Please be aware that this privacy statement and any choices you make on the Service do not necessarily apply to personal information you may have provided to Microsoft in the context of other, separately operated, Microsoft products or services.
We also encourage you to provide feedback and comments about the Service using the Feedback link in the footer of each Service web page or using the contact information below.
Microsoft welcomes your comments regarding this privacy statement. If you have questions about this statement or believe that we have not adhered to it, please contact us by using our Web form. If you have a technical or general support question, please visit http://support.healthvault.com/ to learn more about Microsoft Support offerings.
Microsoft Privacy, Microsoft Corporation, One Microsoft Way, Redmond, Washington 98052 USA 425-882-8080
To find the Microsoft subsidiary in your country or region, see http://www.microsoft.com/worldwide/.
Changes after 2012
In August 2014
- Added a link to find Microsoft subsidiaries worldwide.
In November 2013
- Added description of meaningful use reporting to Sharing personal information.
- Added description of HealthVault email.
- Revised Collection of information to describe new Microsoft account signup experience and to broaden the description of non-Microsoft credentials that can be used.
In June 2013
- Minor clarifications about information we collect and account closure.
In February 2013
- Updated former Windows Live ID section to Microsoft account.
- Clarified HealthVault account vs. Microsoft account vs. HealthVault record due to "Microsoft account" name change.
- Added information on location of storage of health information for users who sign up with E.E.A. residence addresses.
- Further minor clarification about third party control of programs and their descriptions.
Changes before 2013
For users outside of United States
Changes from June 2010
- Personal and health information stored in the service may be processed in the United States or any other country in which Microsoft or its affiliates, subsidiaries or service providers maintain facilities. (This is in preparation for service changes to allow for expansion of UK-based HealthVault service to users in additional countries)
- Added information to the "E-mail Controls" section that covers control of periodic emails summarizing account activity.
- Added information to the "Sharing records with programs through the Service" section to clarify the account and record meta-data that is available to Programs.
- Added sign-in via Facebook and OpenID credentials.
- Added explanation of an emergency profile feature that includes the ability to create and print wallet card that contains a summary of emergency profile information, and the ability to create access codes that can be used to get view-only access to emergency profile information.
For users in United States
Changes from February 2012
- Revised the description of terms Programs must agree to
- Removed the restriction that HealthVault record data is only stored in the United States
- Removed references to TRUSTe certification and HONcode
Changes from October 2011
- Added information to the "E-mail Controls" section that covers control of periodic emails summarizing account activity.
- Added information to the "Sharing records with programs through the Service" section to clarify the account and record meta-data that is available to Programs.
Changes from March 2010
- In the introduction, provided more examples of record sharing, such as sharing with health-related devices and mobile phone applications.
- Added sign-in via Facebook credentials.
- Added references to an account sign-up process that collects emergency profile information, the ability to create and print wallet card that contains a summary of emergency profile information, and the ability to create access codes that can be used to get view-only access to emergency profile information.
- Made non-substantive clarifications and removed passive sentence structure.
Changes from October 2009
- Updated section formerly titled "Archiving health information" (now called "Deleting health information") to reflect interface change that allows users to permanently remove items from their records.
- The "web form" text points to http://go.microsoft.com/?linkid=9647519 via hyperlink.
Changes from August 2009
- Separated HealthVault Connection Center ("Software") from HealthVault Account ("Service") Privacy Statements
- Changes from March 2009
- Removed "beta version" from service name
Changes from October 2008
- Removed grammatical error that referred to a single account in the plural
Changes from September 2008
- Updated description of HealthVault Connection Center to include Version 2
Changes from June 2008
- Clarified that separate health records should be set up for each individual
- Clarified that Programs include systems that may not have an online portal accessible to consumers (such as clinical systems)
- Clarified use of aggregated data to improve Service
- Added link to HealthVault Code of Conduct
- Added reference to contact information for feedback
- Clarified e-mail sent by the Service is unencrypted
- Added description for direct editing of information in the Service account
- Added Health On the Net Foundation (HONcode) certification
Changes from October 2007
- Added OpenID sign-in
- Clarified data storage location
- Revised data disclosure requirements for Programs operated by healthcare providers, insurers, and other entities covered by laws governing use and disclosure of healthcare information
- Removed strong password security requirement
- Clarified Program access
- Emphasized recommendation to read Programs' privacy statements
- Removed statement that data can be moved from an old, closed account to a new account
- Removed passive sentence structure and other non-substantive clarifications