How It Works Services Savings For Employers Contact Enroll Now →
Legal & Compliance

Privacy Policy

Effective Date: January 1, 2026  ·  Last Updated: April 1, 2026

🔒
Privacy Policy
How we handle your data
📄
Terms of Service
Rules & agreements
🏥
HIPAA Notice
Your health information rights
01 Overview
02 Info We Collect
03 How We Use It
04 Sharing
05 Cookies
06 Security
07 Retention
08 Your Rights
09 Children
10 Third Parties
11 Changes
12 Contact
Section 01

Overview

HealthPass by Legacy Health Network ("HealthPass," "we," "our," or "us") is committed to protecting your privacy and safeguarding your personal and health-related information. This Privacy Policy describes how we collect, use, disclose, and protect information when you visit our website, use our services, submit inquiries, or enroll in our health benefit programs.

By accessing or using our website or services, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree with these practices, please do not use our services.

Note: This Privacy Policy applies to HealthPass by Legacy Health Network and its affiliated programs, including ChiroFirst Alliance services offered under the HealthPass benefit bundle. It does not apply to the practices of third-party partners, insurance carriers, or healthcare providers who have their own privacy policies.
Section 02

Information We Collect

We collect information in a variety of ways depending on how you interact with us. This includes information you provide directly, information collected automatically, and information received from third parties.

Information You Provide Directly
Contact information — name, email address, phone number, mailing address
Enrollment information — employer name, employee count, coverage preferences, plan selections
Health-related information — information you voluntarily provide when enrolling in or using health benefit services
Payment information — billing details processed securely through our payment processors
Communications — messages, inquiries, and feedback submitted through our contact forms or email
Account credentials — username and password if you create a member account
Information Collected Automatically
Device and browser information — IP address, browser type, operating system, device identifiers
Usage data — pages visited, time spent on pages, links clicked, referring URLs
Cookies and similar technologies — see Section 6 for details
Information from Third Parties

We may receive information about you from employers, insurance brokers, or benefit administrators acting on your behalf, as well as from healthcare providers within the Legacy Health Network when coordinating your care.

Section 03

How We Use Your Information

We use the information we collect for the following purposes:

Service delivery — to process enrollments, administer your health benefit plan, and coordinate care within our provider network
Communications — to respond to inquiries, send plan updates, renewal reminders, and service-related notifications
Account management — to create and manage your member portal access and preferences
Billing and payments — to process membership fees and employer contributions
Legal compliance — to comply with applicable federal and state laws, including HIPAA, ACA requirements, and tax regulations
Improvement of services — to analyze usage patterns, troubleshoot issues, and enhance our website and benefit offerings
Marketing and outreach — with your consent, to send information about new services, plan options, or educational content relevant to your health and coverage
Fraud prevention and security — to detect, investigate, and prevent fraudulent activity and unauthorized access

We do not sell your personal information to third parties for their own marketing purposes.

Section 04

Sharing & Disclosure

We do not sell, rent, or trade your personal information. We may share your information only in the following limited circumstances:

Service Providers & Vendors

We engage trusted third-party vendors to help operate our business — including payment processors, IT infrastructure providers, email platforms, and analytics tools. These vendors are contractually required to protect your information and may only use it to perform services on our behalf.

Healthcare Network Partners

To coordinate your care and administer your benefits, we may share necessary information with providers within the Legacy Health Network, ChiroFirst Alliance, and affiliated partners — consistent with applicable HIPAA authorizations and Business Associate Agreements.

Health Information: The handling of your protected health information (PHI) is governed by HIPAA federal law. For a full explanation of your rights and our obligations regarding your health data, please review our HIPAA Notice of Privacy Practices.
Employers & Plan Administrators

If your HealthPass enrollment is sponsored or administered through your employer, we may share enrollment status and plan utilization data — in aggregate or de-identified form — with authorized HR administrators for plan management purposes.

Insurance Carriers

For the ACA-compliant HDHP component of the HealthPass bundle, enrollment and eligibility information is shared with the applicable insurance carrier to establish and maintain your coverage.

Legal Requirements

We may disclose your information when required by law, court order, regulatory authority, or to protect the rights, property, or safety of HealthPass, its members, or the public.

Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. You will be notified via a prominent notice on our website if such a change affects how your data is handled.

Section 05

Cookies & Tracking Technologies

Our website uses cookies and similar technologies to improve your browsing experience, analyze site traffic, and support certain functionality.

Types of Cookies We Use
Essential cookies — necessary for the website to function, including session management and security. Cannot be disabled.
Analytics cookies — help us understand how visitors interact with our site (e.g., pages viewed, traffic sources). We use this data in aggregate, anonymized form.
Preference cookies — remember your settings and preferences to personalize your experience.
Marketing cookies — used to deliver relevant content and track the effectiveness of our outreach, only with your consent.
Your Cookie Choices

You can control or disable non-essential cookies through your browser settings or via any cookie consent tool present on our site. Note that disabling certain cookies may affect site functionality. Most browsers also support a "Do Not Track" (DNT) signal — we honor DNT requests where technically feasible.

Section 06

Data Security

We implement industry-standard technical, administrative, and physical safeguards to protect your information from unauthorized access, disclosure, alteration, or destruction. These measures include:

TLS/SSL encryption for all data transmitted between your browser and our servers
Encryption of sensitive data at rest
Role-based access controls limiting data access to authorized personnel
Regular security assessments and vulnerability monitoring
Employee training on data privacy and security practices
Incident response procedures for addressing potential data breaches

While we take reasonable precautions to protect your information, no method of transmission or storage is 100% secure. In the event of a data breach affecting your rights or freedoms, we will notify affected individuals and relevant authorities as required by applicable law.

Section 07

Data Retention

We retain your personal information for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

Enrollment and billing records — retained for a minimum of 7 years to comply with tax, insurance, and healthcare regulatory requirements
Health and claims-related records — retained in accordance with HIPAA and applicable state law, generally a minimum of 6 years from the date of creation or last use
Contact and inquiry records — retained for up to 3 years after your last interaction, or as needed to resolve disputes
Website analytics data — retained in anonymized or aggregated form for up to 26 months

When your data is no longer needed, we securely delete or anonymize it in accordance with our data disposal procedures.

Section 08

Your Privacy Rights

Depending on your state of residence, you may have the following rights with respect to your personal information:

Right to access — request a copy of the personal information we hold about you
Right to correction — request that we correct inaccurate or incomplete information
Right to deletion — request that we delete your personal information, subject to legal retention obligations
Right to opt out of marketing — unsubscribe from marketing communications at any time by clicking "unsubscribe" in any email or contacting us directly
Right to data portability — request your data in a portable, machine-readable format where technically feasible
Right to non-discrimination — we will not discriminate against you for exercising your privacy rights

California residents may have additional rights under the California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA). Oregon residents may have rights under the Oregon Consumer Privacy Act (OCPA). To submit a rights request, contact us using the information in Section 12. We will respond within 45 days, with an option to extend by an additional 45 days when necessary.

We may need to verify your identity before processing a rights request to protect your information from unauthorized access.
Section 09

Children's Privacy

Our website and services are not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately so we can take appropriate action to delete that information.

Dependent enrollment information for minor children is collected solely as part of an adult member's benefit enrollment and is handled in accordance with HIPAA and this Privacy Policy.

Section 10

Third-Party Links & Services

Our website may contain links to third-party websites, portals, or services — including insurance carrier portals, HSA administrators, and partner provider sites. These third parties operate under their own privacy policies, which we encourage you to review.

HealthPass by Legacy Health Network is not responsible for the privacy practices, content, or security of any third-party site. The inclusion of a link does not constitute an endorsement.

Section 11

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will update the "Last Updated" date at the top of this page and, where appropriate, notify you by email or through a prominent notice on our website.

Your continued use of our website or services after any update constitutes your acceptance of the revised Privacy Policy. We encourage you to review this page periodically.

Section 12

Contact Us

If you have questions, concerns, or requests related to this Privacy Policy or our data practices, please contact us:

Privacy & Compliance
HealthPass by Legacy Health Network
Legacy Health Network

Email: privacy@healthpassbylegacy.com
Website: healthpassbylegacy.com

For HIPAA-related requests, please indicate "HIPAA Request" in your subject line. We will acknowledge your inquiry within 5 business days and provide a full response within the timeframe required by applicable law.