NOTICE OF PRIVACY PRACTICES

EFFECTIVE MAY 2025

MedMutual WELL powered by Vitality (“MedMutual WELL”) makes available to you the website medmutualwell.powerofvitality.com (“Website”); and the mobile application MedMutual WELL (“Application”), which may be referred to collectively as the “Program(s).” The Program/s are provided on Vitality’s platform (“Vitality” refers to The Vitality Group, LLC including its affiliates and group companies) and is  made available to you by Medical Mutual of Ohio and on behalf of either your employer; your spouse’s employer; or another provider (“Program Provider”).

This Notice of Privacy Practices (“this Notice”) applies to Protected Health Information (“PHI”) and Personal Information, collectively “information”, collected by or received MedMutual WELL whether online or offline.

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

By accessing or using Program/s, you are aware of the collection, receipt, use, disclosure and retention of your information as described in this Notice and accept the terms of this Notice and the Terms of Use.

Should you require that this Notice be read to you please contact the MedMutual WELL Customer Care Team on 1-866-953-4187.

1. YOUR PRIVACY IS IMPORTANT TO US

MedMutual WELL is committed to protecting the information you share with us. MedMutual WELL is required by law to maintain the privacy of your personal information as well as your PHI and to provide you with this Notice describing our legal duties and privacy practices with respect to your information. In the unlikely event of a breach, to notify you if you are impacted and the breach relates to unsecured protected health information. MedMutual WELL will abide by the terms of this Notice.

2. HOW WILL I KNOW IF THIS NOTICE CHANGES?

MedMutual WELL may update this Notice from time to time. If updates are made to the Notice, the updated Notice will be uploaded, on the Program’s homepage, and other places that MedMutual WELL deems appropriate. You should therefore refer to this Notice each time you make use of the Program.

3. WHAT INFORMATION MEDMUTUAL WELL COLLECTS

MedMutual WELL understands your concerns about the confidentiality of information you share with us. We collect information from you when you engage with the Program. When engaging with the Program, MedMutual WELL may receive information, from your Program Provider or authorized third parties, or directly from you, depending on the Program you are using and the activities in which you participate.

4. HOW DOES MEDMUTUAL WELL USE INFORMATION IT COLLECTS ABOUT ME?

MedMutual WELL will use the information that it collects about you, to facilitate and administer the Program which may include the use cases specified below. MedMutual WELL will only use such information in accordance with this Notice and applicable laws.

  • Treatment
  • Payment
    • For management of any debts owed to MedMutual WELL, if applicable
    • ­­Tracking and administration of payment installments (if any)
    • ­­Recovery of unpaid debts or reimbursement of damages under a contract
  • Health Care or Program Operations
    • To administer and manage your account
      • Creating and maintaining your profile
      • Generating goals, activities, and/or targets
      • Recommending activities and engagements
      • Applying rewards earned
      • Making Program features and offerings available to you
      • Fulfilling purchase orders you make through the Program
      • Tracking your progress through the Program
    • To resolve any complaints or inquiries you may have
      • Registering complaints and inquiries
      • Managing and resolving complaints and inquiries
    • To prevent, detect, and investigate fraud or security incidents
    • For management information purposes
      • Accounting and financial records
      • Analysis and reporting
      • Audit requirements
      • System security and effective operation
      • Program quality assessments, improvements, and developments
      • Reporting necessary information to your Program Provider for benefit administration
  • As Required by Law:
    • MedMutual WELL must allow the U.S. Department of Health and Human Services access to audit our records. In addition, MedMutual WELL may release or disclose your information if required to do so to comply with other laws or for certain public policy purposes, including:
      • To comply with legal proceedings, such as court orders, administrative orders or subpoenas
      • To perform mandatory licensing and regulatory/compliance reporting
      • To law enforcement officials for limited law enforcement purposes
      • To federal officials for lawful intelligence, counterintelligence and other national security purposes
      • To public health authorities for public health purposes
      • To health oversight agencies for health oversight activities authorized by law, including audits, investigations or licensure activities, and
      • To comply with workers’ compensation and other similar programs established by law that provide for benefits for work-related injuries or illness without regard to fault.

5. WHO WOULD MEDMUTUAL WELL SHARE MY INFORMATION WITH

  • Your Program Provider: MedMutual WELL may share with your Program Provider (or a third party that is authorized by your Program Provider) only the minimum necessary information to enable them to administer your incentives, general administration, and for analytics purposes. Administration can include: calculation of health plan premium discounts, health club dues subsidies, applicable taxation, reward redemption, or other arrangements for which such information is relevant. Such information may be shared via the employer portal.
  • Your Program Provider’s authorized Third-Party Service Providers:Your Program Provider may make additional incentives available to you that are provided by Third-Party Service Providers, this could include your Program Provider’s inhouse service provider such as your Program Provider’s in house coaching service. Where PHI is shared the service provider will be a business associate.
  • Service Providers to MedMutual WELL: MedMutual WELL uses the Vitality Group LLC and its affiliates as well as other third-party partners to enable them to perform functions or provide services on our behalf. These service providers are only permitted to share, store and/or use the minimum amount of information for contracted business purposes. Where PHI is shared the service provider will be a business associate.
  • Peer: where you sign up for a challenge limited information may be shared with a peer who is also participating in a challenge.

6. YOU HAVE THE FOLLOWING RIGHTS REGARDING YOUR PHI:

  • Right to Access:You have the right to inspect and obtain a copy of your information.
  • Right to Amend:You have the right to request an amendment to your PHI if you believe it is incorrect or incomplete.
  • Right to an Accounting of Disclosures:You have the right to request a list of certain disclosures of your PHI.
  • Right to Request Restrictions:You have the right to request restrictions on certain uses and disclosures of your PHI. Your Program Provider does not need to agree to such restrictions.
  • Right to Request Confidential Communications:You have the right to request that MedMutual WELL communicate with you in a certain way or at a certain location.
  • Right to a Paper Copy of This Notice:You have the right to obtain a paper copy of this notice upon request.

Should you wish to exercise your rights contained in this section please refer to section 13.

7. HOW IS MEDMUTUAL WELL PROTECTING MY INFORMATION?

Information that you share within the Program(s) is kept strictly confidential and fully secure. Your encrypted (encoded) Information is protected using "Secure Socket Layers (SSL)" as it passes between your browser and this website. MedMutual WELL follows generally accepted industry standards to protect the information received, both during transmission and upon receipt.

8. WILL MEDMUTUAL WELL COMMUNICATE WITH ME DIRECTLY?

As a MedMutual WELL member, MedMutual WELL  aims to provide you with a fully invested experience and dedication to your wellness journey. Depending on your particular Program, MedMutual WELL will deliver marketing, status updates, or other informational emails to you via the email address you provide on your My Account page. If you choose, you may opt out of receiving these emails at any time by adjusting the settings on your account on the Website or the Application you use. If you use the Application, push notifications and triggered communication may be sent to you through the Application. These notifications can be turned off at any time by adjusting the Application’s settings on your device.

Certain communications are necessary and cannot be turned off, these include: transactional emails  (such as order confirmations); emails relating to payment processing activities and reward redemptions; communications from our Customer Care team in response to contacts initiated by you; or other important updates like security and fraud notices or change in services.

If you send questions or comments to an email address listed within a Program or via a contact form provided within a Program, your correspondence will be shared with a MedMutual WELL associate most capable of addressing your questions and concerns. We will retain your communications until we have done our very best to provide you with a complete and satisfactory response. Ultimately, MedMutual WELL  will either discard your communication or, in some cases, archive it. MedMutual WELL  will not keep your email address for secondary purposes. All information and correspondence you share with us will be handled in the strictest confidence.

MedMutual WELL may agree that email has become a standard communication tool used by many different parties. Unfortunately, by design standard Internet email is not secure. For that reason, please do not use unsecured email to communicate information to MedMutual WELL that you may consider to be confidential.

9. ARTIFICIAL INTELLIGENCE (AI) USE

MedMutual WELL  uses AI to enhance our Program offering while prioritizing data privacy and security. MedMutual WELL is committed to fairness, transparency, and human oversight in all our use of AI. Should you have any questions reach out to us as set out in section 13.

10. FITNESS DEVICES

Should you decide to connect a fitness device, by engaging with the Program, information linked to you and your interactions with the Program (e.g. your physical activity, reward earning events and redemption, and form submission) will be collected by the Program. You can also choose to allow certain devices and mobile applications, such as Garmin, to sync data to Application you use. Once you consent and link your device, 90 days of historical fitness device data will be collected by the Program from date of linking. You can delink your device at any time, through the settings menu of the Application. Note such action may impact your ability to earn rewards and our ability to administer the Program for your full benefit. Should you wish to no longer use the Program ensure you delink your device.

10.1 INFORMATION FOR GOOGLE FIT USERS

MedMutual WELL complies with the Google API Services User Data Policy including the Limited Use requirements. MedMutual WELL will only receive the below device data from Google Fit where you allow your mobile application to sync data to the  MedMutual WELL Application you use. You can modify these permissions at any time through the settings menu of the applicable application.

If you have consented to data synching, the device data that MedMutual WELL will collect through the Program includes:

  • physical activity data (including meditation data)
  • body measurements,
  • heart rate data,
  • sleep data

The above device data will only be used to facilitate the MedMutual WELL Program in accordance with section 5 above.

MedMutual WELL may disclose your device data, to service providers set out in section 6 above, to enable them to perform functions or provide services on our behalf. These service providers are only permitted to share, store and/or use such data for contracted business purposes.

MedMutual WELL will protect your device data in accordance with section 7 of this Privacy Notice.

10.2 INFORMATION FOR FITBIT USERS

The use of information received from Fitbit APIs and/or Developer Tools will adhere to the Fitbit Platform Developer and User Data Policy (https://dev.fitbit.com/legal/platform-developer-and-user-data-policy/), including the Limited Use requirements.

11. EMPLOYER PORTAL

In the event that you are a Program Provider and you use any information set out in this Notice in the employer portal, you shall ensure that such information is processed in accordance with the Notice.

12. COMPLAINTS

You have the right to complain if you believe your rights have been violated. Please provide all required information including your name, the policy and group (if applicable) numbers under which you are covered, your birthdate and an explanation about your complaint in as much detail as possible. You may file a complaint by using the details set out in section 13 below, if you wish not to send it in writing.

You also have the right to complain to the Secretary of the U.S. Department of Health and Human Services, Hubert Humphrey Building, 200 Independence Avenue, S.W., Washington, D.C. 20201. Federal law prohibits retaliation against you if you chose to file a complaint.

13. HOW CAN I CONTACT MEDMUTUAL WELL WITH MY PRIVACY QUESTIONS?

Individuals with inquiries or complaints regarding the privacy of their information should contact MedMutual WELL at:

Att: Privacy Officer

1-866-953-4187

support@medmutual.membercareteam.com