Health Management Associates, Inc. and Affiliates — Comprehensive Privacy Policy

Information you provide: We may collect personal details you share with us, such as your name, business email, phone number, job title and employer, event registrations, newsletter preferences; paid subscriptions (e.g., HMAIS subscriptions), payments and files/content you  upload or submit, such as through forms or emails. Do not submit any Protected Health Information (PHI) through general website forms.

Information from your organization or partners: We may receive business-related information such as leads from other companies, conference attendee lists, referrals, or third-party data, such as enrichment data (e.g., industry, role, and interests).

Automatically collected information: While some cookies that are necessary for a website to operate may automatically be active, if you allow cookies, we may collect device and usage data (e.g., IP address, device/browser, pages viewed, timestamps, referring URLs) and use cookies, pixels, SDKs, and tags for analytics, personalization, measurement, A/B testing, advertising, and security (e.g., Google reCAPTCHA) on certain forms. You may change your cookie preferences at any time.

Public sources: We may gather information from publicly available sources such as websites, government publications, professional profiles, and industry databases.

De‑identified/aggregated data: We may create and use de-identified or aggregated data and will not attempt to re-identify it except as permitted by law.

To Operate Our Services: We may use your information to provide and manage our services, including delivering content, managing your accounts or subscriptions (like HMAIS subscriptions), processing payments, offering support, and communicating with you.

To Improve and Secure Our Services: We may use your data for activities like debugging, analyzing performance, and tracking how well the website works. We also may use it to detect security threats and prevent fraud.

For Marketing and Personalization: We may use your information to send you emails, including as part of e-mail campaigns, invite you to events, create custom audience groups, create cross-device and cross-site measurements, and cross-context behavioral advertising, subject to your preferences.

For Recruiting & HR: If you apply for a job, we use your information to evaluate your application.

For Compliance and Legal Matters: We use your information to conduct audits, enforce our terms and policies, respond to legal requests, and handle legal issues or regulatory matters.

For Corporate Transactions: In the event of a merger, acquisition, financing, or sale of assets, your data may be used as part of those business transactions.

HMA Affiliates: We may share your information with other companies we’re connected to, such as our affiliates, subsidiaries and parent companies, for central operations (including cross-brand insights,  managing our operations, analyzing data, improving our products, and coordinated marketing across different brands). You can choose to opt out of marketing and the sale or sharing of your data.

Service Providers/Processors: These are companies that help us with things like hosting, security, analytics, reCAPTCHA, email/SMS services, marketing, form building, event tools, payment processing, customer support, and session recording, bound by contracts limiting use to our purposes.

Advertising/Analytics Partners: We share information with these companies to measure campaigns, create and serve ads, and help us analyze data (this might be considered a “sale” or “share” of data under California law, but you can opt out if you want).

Professional Advisors and Legal: We may share your information with our lawyers, auditors, and insurers for legal or business-related purposes, including to prevent fraud and security incidents, protect rights, and business transfers as part of mergers, acquisitions, or other corporate events.

Authorities: We may share information if required by law or to protect rights, privacy, safety, or property, or to detect and prevent fraud or security risks.

We use different types of technologies and categories commonly labeled: (1) Strictly Necessary (operation/security); (2) Functional (Preferences); (3) Analytics (Usage/diagnostics); (4) Advertising/retargeting, and in some instances (5) Unclassified (Non-Essential)  on our site. Here’s what we collect and why:

• Strictly Necessary Cookies: These are needed for the website to work, like letting you log in or manage your account (i.e.,  essential cookies that cannot be turned off).
• Functionality Cookies: These remember your preferences, like language or time zone, to make your experience more personal (i.e., nonessential cookies  that can be turned off).
• Performance Cookies: These help us see how people use our site so we can make it better. They don’t directly identify you (i.e., nonessential cookies  that can be turned off).
• Advertising or Targeting Cookies: These help us show you ads that match your interests (i.e., nonessential cookies  that can be turned off).
• Unclassified Cookies: Some cookies are still being reviewed to determine their exact impact and may relate to ads or session management. Unclassified cookies are cookies that do not belong to any other category or are in the process of categorization. (i.e., nonessential cookies  that can be turned off).

Your choices: You may manage, via our Cookie Preferences tool or preferences settings which cookies are functional, and you may manage via your browser or device which cookies you accept. We also use commercially reasonable efforts to honor your preferences communicated via the Global Privacy Control (GPC) and other legal opt-out signals (like the Colorado Universal Opt-Out Mechanism). However, we do not currently respond to “Do Not Track” (DNT) signals because there is no standard way to handle them.

We may use technologies from other service providers to help us understand how people use our site, measure the effectiveness of our ads, and show you more personalized content. These tools may collect data like your IP address, device details, browser type, which pages you visit, and more.

Some of the service providers we work with include: Google Analytics, Google Ads, LinkedIn, Facebook/Instagram (Meta Pixel), Microsoft Ads, Twitter, Pinterest, Reddit, HubSpot, Salesforce, Hotjar, Crazy Egg, and others, however, the specific providers may change over time.

We use tools to communicate with you on our website and understand how you use it, including to protect our Services, prevent fraud and improve user experience. This includes:

Emails and Messages: If you sign up for our newsletters, fill out forms, or contact us, we may send you emails or messages (like SMS) about our services, events, or updates. You can opt out of marketing emails anytime using the “unsubscribe” link or by contacting us. However, even if you unsubscribe, we may still send you emails regarding the Services we perform.

Session Recordings: We may use tools like session replay to record how you move through our website (e.g., clicks, scrolling, or page visits). These tools help us improve the website but are set up to avoid capturing sensitive information, like passwords or payment details.  For example, we may monitor and log metadata about web requests and form submissions (e.g. IP address, timestamps, URL, and use sessions-replay/interaction analytics). Where required, we obtain consent before enabling such tools via our cookie banner.

Monitoring for Legal Compliance: In some cases, we may monitor or record website interactions to comply with laws or protect against fraud, as allowed under privacy laws (like rules about wiretapping or tracking). We only do this when required and follow strict legal guidelines to protect your privacy.

You can control some of these tools through our Cookie Preferences tab at the bottom of our website, and if required by law or regulations, we will let you know how we monitor or use your information.

If you give us your mobile number and agree, we (and our affiliates) may contact you by phone call or text message for marketing or informational purposes. We may use an autodialer or prerecorded voice.

Consent is not required to purchase goods/services. Message & data rates may apply; message frequency varies. You may opt out at any time by replying STOP (to end) or HELP (for help). We maintain records of consent and opt‑outs as required by law and comply with applicable Do‑Not‑Call obligations.

HMA is a consulting company and usually not a HIPAA “covered entity” (like a doctor or health plan). Please don’t send Protected Health Information (PHI), like medical records, through our website forms. We do not intend our public website, forms, or marketing tools to receive PHI. If you believe you may need to send PHI, please contact us for a secure transmission method.  If we receive PHI while working for a covered entity, we generally receive such information under a contractual agreement, such as  under a Business Associate Agreement (BAA), and we handle that data according to the BAA, not this Privacy Policy.  When HMA acts as a Business Associate, we comply with all HIPAA requirements, including administrative, physical, and technical safeguards; minimum necessary use and disclosure; and breach-notification obligations. Where applicable, individuals retain their HIPAA rights of access and amendment, as described in the Notice of Privacy Practices of the relevant covered entity.

Depending on where you live (e.g., CA, CO, CT, VA, UT, OR, TX, MT, DE, IA, TN, IN, etc.), you may have rights to access/know, correct, delete, data portability, and to opt out of targeted advertising, sale/share, and certain profiling. California residents may request to limit use/disclosure of Sensitive PI. You may use an authorized agent; we will verify identity/authority and may request a signed declaration where permitted. If we deny a request, you may appeal; we will respond within required timelines. We will not discriminate for exercising your rights. We do not offer financial incentives at this time; if we do, we will provide a Notice of Financial Incentive. 

Authorized agents & verification: You can have someone else (an authorized agent) make these requests for you. But we’ll need to verify both your identity and the agent’s authorization before we can fulfill the request. In some cases, we may ask for a signed statement confirming your request under penalty of perjury.

Appeals: If we reject your request, you can appeal. We’ll explain how to do this when we respond to your request.

Non-discrimination: We won’t treat you unfairly for exercising your privacy rights. Right now, we don’t offer any financial incentive programs, but if we ever do, we will provide clear notice of how that works.

We may disclose identifiers, internet/network activity, and inferences to advertising/analytics partners for measurement and cross‑context behavioral advertising, which may constitute a “sale” or “share” under California law. You can opt out at any time using our Do Not Sell/Share controls or by enabling GPC. We do not knowingly sell or share PI of consumers under sixteen (16).

Health Management Associates, Inc. is based in Michigan, United States, and provides services primarily within North America. We do not offer goods or services to individuals in the European Economic Area (EEA), the United Kingdom (UK), or Switzerland, nor do we monitor their behavior within the meaning of Article 3 of the EU General Data Protection Regulation (GDPR) or UK GDPR.

Because our processing of personal data is occasional, does not include large-scale processing of special categories of data, and does not otherwise create a risk to the rights and freedoms of individuals in the EEA/UK/Switzerland, we are not required to appoint an EU or UK representative under Article 27 of the GDPR or UK GDPR.

If this changes in the future—for example, if we begin to target or monitor individuals in the EEA/UK/Switzerland—we will update this Privacy Policy and appoint a representative as required by law.

You have rights to access, rectification, erasure, restriction, portability, and objection; you may withdraw consent without affecting prior processing. For transfers outside the EEA/UK/CH, we rely on Standard Contractual Clauses and appropriate safeguards.        

If you are in Canada, you have rights of access and correction and may withdraw consent to the extent permitted by law. We process PI in the U.S. and other countries; by using the Services, you consent to such transfers, subject to applicable law.

If our web properties collect “consumer health data” as defined by Washington law (e.g., interactions with wellness content), you may have additional rights. Where applicable, we will present a Consumer Health Data Notice and obtain any required consent for collection, use, and sharing.

Nevada residents may opt out of the sale of certain covered information. To submit a request, use the methods in Section 20.

Our Services are not directed to children under thirteen (13), and we do not knowingly collect PI from children. We also do not knowingly sell or share PI of consumers under sixteen (16).

We maintain reasonable administrative (e.g., policies, procedures, and training), technical (e.g., encryption), and physical safeguards (secure data centers) appropriate to the nature of the PI (e.g., TLS in transit, role‑based access, encryption for certain data, vendor due diligence, logging/monitoring, secure development). No method of transmission or storage is completely secure.

HMA maintains a written incident-response and breach-notification plan consistent with HIPAA, applicable U.S. state data-breach laws, and the EU/UK GDPR (Articles 33–34). In the unlikely event of a security incident that compromises personal information or Protected Health Information, HMA will investigate promptly, mitigate potential harm, and notify affected individuals and regulators as required by law and contractual obligations.

We retain PI only as long as necessary for the purposes described or as required by law, then delete or de‑identify it.

If you access our Services from outside the United States, your data may be transferred to and processed in the U.S. and other countries with different data protection laws. Where required, we implement appropriate transfer mechanisms (e.g., SCCs).

We do not engage in solely automated decision‑making that produces legal or similarly significant effects about individuals. We may use automated tools for audience segmentation and marketing analytics; you may opt out of targeted advertising as described above.

We may use limited automated tools, including machine-learning (AI/ML) algorithms, to perform analytics, improve website performance, and personalize marketing content (for example, recommending resources or tailoring email outreach). These activities do not involve solely automated decisions that produce legal or similarly significant effects on individuals.

Where required by law (such as GDPR Articles 21–22 or applicable U.S. state privacy laws), you may object to this type of processing or opt out of targeted advertising by following the instructions in the Your Privacy Choices and Rights section or by contacting us using the details in Contact Us.

We maintain a data inventory and perform vendor assessments appropriate to risk. Where required, we conduct Data Protection Impact Assessments (DPIAs) for high‑risk processing (e.g., certain profiling or new tracking technologies). Vendors processing PI on our behalf are bound by written contracts with confidentiality, security, and data‑use restrictions.

To deliver our Services, HMA engages carefully selected service providers (“processors” or “subprocessors”) that perform functions such as hosting, analytics, email delivery, payment processing, and marketing support. These vendors are bound by written contracts that include confidentiality, data-security, and data-use limitations consistent with applicable privacy laws.

Upon request, HMA will provide a current list of its key processors and subprocessors, including the nature of the services they provide and the jurisdictions in which they process data.

We may update this Policy. The Effective date will reflect the latest version. Material changes will be highlighted for a reasonable time. We will retain prior versions in an archive available upon request.

Email:
Mail: 2501 Woodlake Circle, Suite 100, Okemos, MI 48864
Toll‑free: 800-678-2299
Data Subject Request:
EU/UK Representative:
Chief Compliance Officer: