The Washington My Health, My Data Act ("MHMDA") provides consumers residing in Washington and consumers whose consumer health data is collected in Washington (“Washington Consumers”, "you", or "your") with specific rights regarding their consumer health data. This Consumer Health Data Privacy Policy (“WA Policy”) supplements the Mutual of Omaha Online Privacy Policy ("Policy") and applies solely to Washington Consumers.

This WA Policy also explains your rights regarding your consumer health data and how you can exercise those rights. This WA Policy describes the practices of Mutual of Omaha Insurance Company and its subsidiaries and affiliates (“Mutual”, “we”, “us” or “our”) that link to the WA Policy regarding the collection and use of consumer health data we collect from Washington Consumers.

At Mutual, we strive to help consumers achieve their financial goals by providing an array of insurance and financial products. In doing so, we may collect and/or use the consumer health data of Washington Consumers. In this WA Policy, consumer health data has the meaning described below and excludes certain information subject to other laws.

Consumer health data is defined for purposes of this WA Policy and the MHMDA as personal information that is linked or reasonably linkable to a Washington Consumer and that identifies the Washington Consumer's past, present, or future physical or mental health status.

Consumer health data may include, for example, information collected directly from you if you use certain services available on our sites or information that you voluntarily provide, such as information you provide in response to a questionnaire or on a form.

We may also collect or receive consumer health data about you through or from our business partners and service providers that perform services for us or for you, or to offer our products and services to you. Please see the “Sources of consumer health data and business purposes for collection and use” section of this WA Policy to learn more about how we may collect your consumer health data.

Under the MHMDA and the unique consumer rights described below, consumer health data does not include:

• Publicly available information, such as information from government records, information we reasonably believe you made available to the general public, or unrestricted information you have disclosed or made available;
• Deidentified or aggregated consumer information we maintain in deidentified form and do not attempt to reidentify except as required or permitted by law;
• Health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA); and
• Personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (“FRCA”) and the Gramm-Leach-Bliley Act (“GLBA”).

We separately provide notices required under other state and federal laws, such as GLBA and HIPAA in connection with products and services subject to those laws. Those notices can be found by clicking here.

We may collect and/or use the following types of consumer health data:

Individual health conditions, treatments, diseases, or diagnosis

This may include physical characteristics or descriptions, medical conditions, health history, tests, symptoms, and other medical information, inpatient and outpatient care, medical recommendations, referrals, and consultations.

Social, psychological, behavioral, and medical interventions

This may include personal information relating to inpatient and outpatient care, treatments, rehabilitation, equipment usage, medical recommendations, referrals, and consultations, and assistance with activities of daily living.

Health-related surgeries or procedures

This may include personal information relating to a current surgery, history of surgery, and advice to have surgery.

Use or purchase of prescribed medication

This may include personal information relating to current or historical prescription drug use and pharmacy location.

Bodily functions, vital signs, symptoms, or measurements of other types of consumer health data

This may include personal information relating to a history of unexplained medical symptoms.

Diagnoses or diagnostic testing, treatment, or medication

This may include personal information relating to inpatient and outpatient care and a history of prescription and non-prescription drug use.

Reproductive or sexual health information

This may include personal information relating to an existing pregnancy and diagnoses or treatments for pregnancy or reproductive diseases or disorders.

Data that identifies a consumer seeking health care services

This may include personal information relating to consulting with a physician.

We collect your consumer health data directly from you and/or sales agents you interact with when applying for or seeking information about our products and services.

We may collect and/or use your consumer health data for the following business purposes:

A purpose you direct. You direct us to collect and/or use your consumer health data to process your insurance product application; recommend insurance products and services to you; and provide insurance product quote information.

Legal and regulatory compliance. For example, this may include preventing, detecting, or protecting against illegal activity, such as noncompliance with applicable laws and regulations.

For purposes of the MHMDA, we do not share consumer health data.

Subject to certain legal limitations and exceptions, you may be able to exercise some or all of the following rights:

Right to confirm and access

You may have the right to request us to confirm whether we collect your consumer health data and to disclose the consumer health data we collect about you.

Right to delete

You may have the right to request us to delete any of your consumer health data we collect and retain (and direct our processors and contractors to do the same).

Exceptions

We may deny your request if retaining the consumer health data is reasonably necessary for us to:

• Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any activity that is illegal under Washington state law or federal law;
• Preserve the integrity or security of systems; or
• Investigate, report, or prosecute those responsible for any such action that is illegal under Washington state law or federal law.

Other legal limitations and exceptions may also apply.

How to Submit A Request to Exercise Your Rights

To exercise any of the rights described above, you may submit a request either by clicking here and completing the linked Washington Consumer Rights Request form or by contacting us at the following toll-free number: 1-844-413-6884. We will consider only those requests submitted using these two options.

Exercising Your Right to Confirm and Access, and Delete

Only you or your authorized agent may make an authenticated consumer request to confirm and access or delete your consumer health data. If you use an authorized agent to submit an authenticated consumer request on your behalf, we will require you to provide additional information as described below. You may make an authenticated consumer request on behalf of your minor child. In order to authenticate your identity to process your request, we will request your full name, street address, city, zip code, phone number, and email address. For us to treat your request as an authenticated consumer request, you must:

• Provide sufficient information, commensurate to the type or sensitivity of the information you are requesting, that allows us to reasonably authenticate you are the person about whom we collected personal information or an authorized representative; and
• Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

We cannot respond to your request or provide you with consumer health data if we are unable to: (a) authenticate your identity or authority to make the request, (b) confirm the personal information we have in our systems relates to you, or (c) locate your information in our systems. If the information you provided us does not match our records, in certain circumstances we may request additional information from you.

In certain circumstances, an authorized agent may submit a rights request for you. An authorized agent is a natural person or business entity to whom you have given permission to submit a request on your behalf. An authorized agent must submit a request using one of two designated methods described above. We must be able to authenticate the authorized agent has the authority to act on your behalf. In order to authenticate the authorized agent’s authority, we generally require evidence of either (i) a valid power of attorney; or (ii) a signed letter containing your name and contact information, the name and contact information of the authorized agent, and a statement by you authorizing the authorized agent to submit an authenticated consumer request on your behalf. Depending on the evidence provided, we may still need to separately reach out to you to confirm the authorized agent has permission to act on your behalf and to authenticate your identity in connection with the request.

We endeavor to respond to an authenticated consumer request to confirm and access or delete within forty-five (45) days of its receipt. If we require more time (up to 45 additional days), we will inform you of the reason and extension period in writing. We will deliver our written response by mail or electronically, at your option. The response we provide will also explain the reasons we cannot comply with a request, if applicable.

We do not charge a fee to process or respond to your authenticated consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

We reserve the right to amend this WA Policy at our discretion and at any time. When we make changes to this WA Policy, we will post the updated WA Policy on the website and update the WA Policy's effective date.

The effective date of the rights for Washington Consumers described in this WA Policy is March 14, 2024. Changes to the WA Policy will not affect our use of previously provided consumer health data.

If you have any questions about this WA Policy, the ways in which we may collect and use your consumer health data described in this WA Policy, and your choices and rights regarding such use, please feel free to contact us by:

• Sending an e-mail request to privacy.office@mutualofomaha.com
  
• Sending a letter via US Mail to:

Mutual of Omaha Insurance Company
3300 Mutual of Omaha Plaza
Omaha, NE 68175
Attention: Privacy Office

If we have denied your request to exercise your rights under the MHMDA, you may appeal our denial. Please submit your appeal request by:

• Sending an e-mail request to privacy.office@mutualofomaha.com

Last Updated: March 14, 2024