Platform Privacy FAQS
Castlight is a healthcare platform that companies and their employees use to more easily understand and navigate their healthcare. Your employer shares certain information with us so that we can create and maintain your Castlight account. This makes it possible for Castlight to provide you with information on your claims history. Your health insurance provider shares your claims history with us. Castlight also collects information from you when you complete certain surveys and/or health assessments available within our application.
The Castlight Platform also has programs and services that can help you take care of your health. These include:
- Care Guidance Service: Care Guidance is a digital platform. It can help you find healthcare providers covered by your insurance. It can also give you advice on programs available through your employer. Castlight makes suggestions based on your health conditions, goals, and insurance benefits.
- Care Guides: This is a team that can help you understand your health insurance benefits. They can also help you find the right healthcare.
- Wellbeing Service: This program asks you questions about your health. It gives you advice on how to make healthy choices, based on how you answer.
To use these services, your employer or health plan must offer them. Some services are available to people who live outside the United States. The Care Guides are only available to people who live in the United States.
What is Personal Health Information?
Personal Health Information (PHI) is information about your health that can be linked to you. Specifically, it is information about:
- Your health status
- The healthcare you receive
- Payment for healthcare
PHI may also include data that falls into the category of Sensitive Personal Information (“SPI”). SPI is information that is highly sensitive in nature. If SPI is lost or accidentally shared, it could result in significant harm or embarrassment to an individual. Examples of SPI vary across organizations but may include the following:
- Date of Birth
- Biometric or Genetic Records
- Political or Religious views
- Race or Ethnicity
- Sexual Orientation
- Bank Account Numbers
Why do we collect your information?
Castlight collects your personal information for different reasons. These reasons include:
- To run and promote the Castlight Platform and offer its services.
- To confirm your identity and set up your account.
- To learn about your health needs and contact you if there are any problems.
- To recommend features and benefits of the Castlight Platform and personalize your experience.
- To communicate with you through email, text, chat, and other ways.
- To help other service providers on the Castlight Platform offer their services.
- To suggest programs, content, or events that may be of interest to you based on what you or your Health Plan tell us.
- To encourage you to use programs that can help you reach your health goals.
- To run contests, promotions, or other activities you choose.
- To help you with purchases or donations.
- To help you use the Castlight Platform and follow the law.
- To protect your safety, investigate fraud, answer government requests, and protect your rights.
- To stop harmful activity like security problems, spam, fraud, and abuse.
Castlight uses your personal information to provide and improve its services, keep you safe, and protect your rights.
Why do we share your information?
Castlight only shares your information with those who need to access it to perform their job-related tasks and duties. Your information may also be shared with third parties with a legitimate and legally compliant reason for accessing it. The situations under which Castlight may share your information are as follows:
- With your employer or health plan. Castlight does not share your Protected Health Information (“PHI”) with your employer. Castlight may share your information with your employer’s health plan to help manage their performance. This information is de-identified. That means it cannot be used to identify you. Other information that won’t compromise your privacy may be shared with your employer. Examples include:
- Survey responses without information that could identify you.
- User testimonials and reviews. You can choose to include or exclude your name when providing feedback.
- The status of health and wellness activities to help your employer award benefits.
- With service providers. Castlight may share your information to help provide services and features to you. Contracts require service providers to protect the security and privacy of your information. Examples include:
- Providers of customer support
- Providers of surveys, network infrastructure
- Providers of cloud storage
- Providers of security and information technology
- Providers of data analytics
- Providers of marketing
- When using single sign-on (SSO) with some third-party websites. Castlight may share some of your information to confirm your identity. Examples include: Google or your health plan’s website, through the Castlight Platform.
- To follow the law. Castlight may share your information to help keep you safe or to address suspected fraud, security, or technical issues. Castlight may also share your information with the following parties in response to a valid legal process:
- Law enforcement agencies
- Government agencies
- Private parties
- External law firms
- To protect the vital interests of any person.
- With someone you have chosen to share your information with. You can share your information with a spouse, domestic partner, family member, or another person while using the Complete Service. Castlight will not share your personal information with anyone you assign unless you provide your consent. You can withdraw your consent at any time.
- To help coordinate your health benefits. Castlight may share your personal information with your health plan. Castlight will always share information in strict compliance with HIPAA.
- With Castlight Care Guides. Care Guides may access your personal information, including PHI, to provide one-on-one support. Care Guides may use your personal information to assist you with your health and wellness.
- To facilitate third-party Orders. If you buy a device, application, or service from a third party, we may give your name and contact information to them to help with the order. We won’t share your payment information with them. If you use a credit card to make a purchase, we’ll share your credit card information with our credit card processing company. This is necessary to complete the transaction. If you want us to keep your personal information private from these third parties, don’t order anything through the Wellbeing Service.
- With a third-party Administrator. If your Health Plan requires it and you consent, we may share your personal information with a third-party administrator (TPA). The TPA will use your personal information to create anonymous, aggregated data for your employer’s health and wellness programs. This data cannot be used to identify you.
What is Castlight Health’s security philosophy?
Our security philosophy is simple: You are trusting us with your healthcare data and we earn that trust through the actions we take every day.
Castlight Health maintains a formal and comprehensive security program. It is designed to ensure the confidentiality, integrity and availability of our systems and data. It is also intended to protect against the threats faced by a modern company.
Castlight Health believes that all employees play a critical role in keeping your data secure. We have a purpose-built organizational culture that is both aware and proactive about security risks. Our security culture is developed through company-wide training, regular communications and dedicated personnel working everyday to enhance and improve our security measures.
How does Castlight Health keep your data secure?
Trusted by hundreds of employers, Castlight is committed to investing in our security to safeguard your data.
At Castlight, we keep your information safe by using secure data centers that meet or exceed industry standards. We constantly test our security to make sure our systems are safe from any threats.
We only allow people who need access to your information to see it, and we make sure that their access is authorized before any such access occurs. All employees and contractors receive regular security training. We also check the backgrounds of our employees and contractors before hiring them.
Castlight also implements strong authentication measures. We make sure that only you have access to your personal account while restricting bad actors from gaining access to your account.
Additionally, a third party conducts tests to review that our applications are protected and as safe as possible.
Does Castlight have an identity theft prevention program in place to detect, prevent, and mitigate identity theft?
Yes. Castlight uses several techniques to ensure a strong Identity Theft Prevention Program. Castlight receives an individual’s information directly from our customers (employers). Castlight receives an individual’s information directly from our customers (employers). Once the information is received, you will need to verify your identity. Once you have, you will have the ability to correct any information gaps through your employer. Our automated fraud detection tools, Support Team, and Security Team also consistently watch your account for suspicious activity. Suspicious activity may include:
- Logins from different locations
- Unusual actions taken while logged in to an account
- Unfamiliar devices accessing accounts
Individual Data Rights
Data Access and Deletion Request Tracker
All data is for the year 2022
Last update: January 13, 2023
Data deletion requests: 184
Data access requests: 1
CCPA Opt out requests: Castlight Health does not sell your Personal Information for any purposes.
Average turnaround time for all requests: 3 days
Does Castlight sell my personal data?
Castlight Health does not sell any personal data.
How can I access my personal data from Castlight?
How can I delete my personal data from Castlight’s platform?
Do individuals have a right to download their Personal Health Information outside of Castlight’s secure platform?
Yes. Under HIPAA (Health Insurance Portability and Accountability Act), if a Covered Entity or Business Associate maintains a designated record set (designated healthcare records) that relates to the individual, the individual has a right to access and/or transmit their Personal and Personal Health Information. Although Castlight does not maintain a designated record set as defined by HIPAA , we follow the guidance under HIPAA in most instances and therefore permit users of our application to access and download their Personal and Protected Health Information.
- Source: Department of Health and Human Services: Individuals’ Right under HIPAA to Access their Health Information – 45 CFR § 164.524.
What are some of the risks associated with an unsecure download of Personal Health Information?
Some of the risks associated with an unsecure download include, but are not limited to the following:
- Hacking/Impermissible use or interception by a third party (this may include a bad actor or third-party service provider)
- Loss of theft of device with downloaded information
- Risk of improper disposal or record retention on the device used for downloading
- Unencrypted data (including unencrypted transmission of data to a third party)
What are some security considerations and recommended safeguards prior to downloading and transmitting data outside of Castlight’s secure platform?
Castlight highly recommends but does not require the following safeguards be put into place on your device settings prior to download and/ or transmission
- Ensure your mobile or desktop device is encrypted
- Password protection for mobile devices and other hardware endpoints
- Transmitting any downloaded data via a secure channel
Is Castlight responsible if it complies with an individual’s request to receive Personal Health Information in an insecure manner?
No. Under the HIPAA Privacy and Security Rules, while Castlight is responsible for ensuring reasonable safeguards in implementing an individual’s request , Castlight is not responsible for a disclosure of PHI while in transmission to the individual based on the individual’s access request to receive the PHI in an unsecure manner if proper precautions are taken to notify the individual of the risk involved.
Additionally, while Castlight is required by the Privacy and Security Rules to implement reasonable safeguards to protect PHI, individuals have a right to receive a copy of their PHI by unencrypted means if the individual requests access in this manner. In such cases, Castlight will provide a brief warning to the individual (per HIPAA guidance) that there is some level of risk that the individual’s PHI could be read or otherwise accessed by a third party and confirm that the individual still wants to receive PHI in this manner.
- Source: Depart of Health and Human Services: Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.524.
Where can I go for more information on this topic?
For general inquiries regarding Castlight’s Privacy practices, please refer to our Privacy Statement. For additional information and resources on this topic please refer to the Department of Health and Human Resources Website or email Castlight’s Privacy Team at: [email protected] or [email protected].