Last Modified: 5/7/2023
This Privacy Notice explains how First Rehabilitation Resources, Inc. (“FRR”, “we”, “us” or “our”) collects, uses, discloses, and otherwise processes personal information (as defined below) in connection with our website https://1strehab.com/and other websites we own and operate that link to this Privacy Notice (the “Sites”), and our services (collectively, the “Services”).
FRR may provide services to companies such as insurance carriers, third-party administrators, employers, and public and federal entities (“FRR Customers”). In the course of providing these services, we collect personal information about the individuals our customers refer to FRR. We process any personal information received from our customers or created in the course of providing services to our customers in accordance with any restrictions set forth in our contracts with them. We recommend referring to the FRR Customer’s privacy notice, including their Notice of Privacy Practices (as applicable), for information on how they engage service providers, like us, to collect and process Customer Data on their behalf.
When we use the term “personal information” in this Privacy Notice, we mean any data or information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular natural person or any other data or information that constitutes “personal data”, “personal information,” or “personally identifiable information” under applicable law.
We collect personal information in a variety of ways. For example, you may provide us your personal information when you apply to be and/or become a medical provider and use our Services, submit a referral, send us messages, subscribe to our mailing lists, newsletters, or other forms of marketing communications, or use some other feature of our Service.
We may link or combine your activities and information collected from you on our websites with information we receive from third parties, as well as information we collect automatically through tracking technologies (defined below). This allows us to provide you with a personalized experience regardless of how you interact with us.
Personal Information Collected from You
We may collect the following categories of personal information in connection with providing the Services and operating our business:
Personal Information from Third Parties
We also obtain personal information from third parties, which we often combine with personal information we collect either automatically or directly from an individual.
We may receive the same categories of personal information as described above from the following third parties:
Additional Uses of Personal Information
We may use personal information we collect to:
Where you choose to contact us, we may need additional information to fulfill the request or respond to inquiries. We may provide you with additional privacy-related information where the scope of the inquiry/request and/or personal information we require fall outside the scope of this Privacy Notice. In that case, the additional privacy notice will govern how we may process the information provided at that time.
We, and our third-party partners, may automatically collect information you provide to us and information about how you access and use the Services when you visit our services, read our emails, or otherwise engage with us. We may collect this information through a variety of tracking technologies, including (i) cookies or small data files that are stored on an individual’s computer and (ii) other, related technologies, such as web beacons, pixels, embedded scripts, , location-identifying technologies and logging technologies (collectively, “tracking technologies”) and we may use third-party partners or technologies to collect this information. Information we collect automatically about you may be combined with other personal information we collect directly from you or receive from other sources.
We, and our third-party partners, use tracking technologies to automatically collect usage and device information, such as:
All the information collected automatically through these tools allows us to improve your customer experience. For example, we may use this information to enhance and personalize your user experience, to monitor and improve our Sites and Services, and to improve the effectiveness of our Services, offers, advertising, communications and customer service. We may also use this information, the data collected through tracking technologies to: (a) remember information so that you will not have to re-enter it during your visit or the next time you visit the site; (b) provide custom, personalized content and information, including targeted content and advertising; (c) identify you across multiple devices; (d) provide and monitor the effectiveness of our services; (e) monitor aggregate metrics such as total number of visitors, traffic, usage, and demographic patterns on our website; (f) diagnose or fix technology problems; and (g) otherwise to plan for and enhance our services.
If you would prefer not to accept cookies, most browsers will allow you to: (i) change your browser settings to notify you when you receive a cookie, which lets you choose whether or not to accept it; (ii) disable existing cookies; or (iii) set your browser to automatically reject cookies; however, doing so may negatively impact your experience using the services, as some features and services may not work properly. You may also set your email options to prevent the automatic downloading of images that may contain technologies that would allow us to know whether you have accessed our email and performed certain functions with it.
We may also share, transmit, disclose, grant access to, make available, and provide personal information with and to third parties, as follows:
You may control your information in the following ways:
We will usually store the personal information we collect about you for no longer than necessary to fulfill the purposes for which it was collected, and in accordance with our legitimate business interests, contractual obligations, and applicable law. However, if necessary, we may retain personal information for longer periods of time, until set retention periods and deadlines expire, for instance where we are required to do so in accordance with legal, tax and accounting requirements set by a legislature, regulator or other government authority.
To determine the appropriate duration of the retention of personal information, we consider the amount, nature and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of personal information and if we can attain our objectives by other means, as well as our legal, regulatory, tax, accounting and other applicable obligations.
Once retention of the personal information is no longer necessary for the purposes outlined above, we will either delete or deidentify the personal information or, if this is not possible (for example, because personal information has been stored in backup archives), then we will securely store the personal information and isolate it from further processing until deletion or deidentification is possible.
Our Sites are not directed to, and we do not intend to, or knowingly, collect or solicit personal information from children under the age of 16 through our Sites. If an individual is under the age of 16, they should not use our Sites or otherwise provide us with any personal information through our Sites. If a child under the age of 16 has provided personal information to us, we encourage the child’s parent or guardian to contact us to request that we remove the personal information from our systems. If we learn that any personal information we collect through our Sites has been provided by a child under the age of 16, we will promptly delete that personal information. Although our Services are not directed to children under the age of 16, it is possible that our customers may request that we perform an examination of a child under the age of 16. If we have performed an examination of your child at the direction of our customer, we encourage you to contact your insurance provider or employer to exercise your rights with respect to your child’s personal information.
Our Services may include links to third-party websites, plug-ins and applications. Except where we post, link to or expressly adopt or refer to this Privacy Notice, this Privacy Notice does not apply to, and we are not responsible for, any personal information practices of third-party websites and online services or the practices of other third parties. To learn about the personal information practices of third parties, please visit their respective privacy notices.
We may update this Privacy Notice from time to time. When we make changes to this Privacy Notice, we will change the date at the beginning of this Privacy Notice. If we make material changes to this Privacy Notice, we will notify individuals by email to their registered email address, by prominent posting on our Services, or through other appropriate communication channels. All changes shall be effective from the date of publication unless otherwise provided.
If you have any questions or requests in connection with this Privacy Notice or other privacy-related matters, please send an email to referrals@1strehab.com.
These Additional California Privacy Disclosures (“California Disclosures”) supplement the information contained in our Privacy Notice by providing additional information about our personal data processing practices relating to individual residents of California. For a detailed description of how we collect, use, disclose, and otherwise process personal data in connection with our services, please visit our Privacy Notice. Unless otherwise expressly stated, all terms defined in our Privacy Notice retain the same meaning in these California Disclosures.
For the purposes of these California Disclosures, personal information does not include publicly available information or deidentified, aggregated or anonymized information that is maintained in a form that is not capable of being associated with or linked to you. Additionally, these California Disclosures do not describe our practices when we process Customer Data as a “service provider” in accordance with our contractual agreements with our customers.
Collection and Use of Personal Information
We collect personal information from and about consumers for a variety of purposes. We collect this information from a variety of sources, including directly from you, from your employer or organization, from our customers, from our service providers and affiliates, from your browser or device when you use our Services, or from third parties that you permit to share information with us. To learn more about the types of personal information we collect, the sources from which we collect or receive personal information, and the purposes for which we use this information, please refer to the Our Collection and Use of Personal Information sections of our Privacy Notice.
In the last 12 months, we have collected the following categories of personal information:
Disclosure of Personal Information
In the last 12 months, we may have disclosed all of the categories of information we collect with third parties for a business purpose, as described in the Our Disclosure of Personal Information section of the Privacy Notice. The categories of third parties to whom we sell or disclose your personal information for a business purpose include:
Sales and Sharing for Targeted Advertising
Unless you have exercised your right to opt-out, we may disclose or “sell” your personal information to third parties for monetary or other valuable consideration, or “share” your personal information to third parties for cross-context behavioral advertising purposes. The third parties to whom we sell or share personal information may use such information for their own purposes in accordance with their own privacy policies.
We have sold or shared the following categories of personal data for the purposes described in our Privacy Notice, subject to your settings and preferences and your Right to Opt-Out: Contact Information, Commercial Information, and Network Activity.
The categories of third parties to whom we may sell or share the personal data include:
Business and Marketing Partners (if applicable)
We may also disclose personal data for the purposes described in the Our Disclosure of Personal Information section of our Privacy Notice.
Sensitive Information
The following personal data elements we collect may be classified as “sensitive” under certain privacy laws (“sensitive information”):
We use this sensitive information for the purposes set forth in the Our Collection and Use of Personal Information section of our Privacy Notice.
We do not sell sensitive information, and we do not process or otherwise share sensitive information for the purpose of targeted advertising.
Your Privacy Choices
In accordance with applicable privacy law, and depending upon the jurisdiction in which you reside, you may have some or all of the following rights in respect of your personal information:
.
How to Exercise Your Privacy Rights
To submit a request to exercise one of the privacy rights identified above, please submit a request by:
We may need to verify your identity before processing your request, which may require us to request additional personal information from you. We will only use personal information provided in connection with a consumer rights request to review and comply with the request.
In certain circumstances, we may decline a request to exercise the rights described above, particularly where we are unable to verify your identity or locate your information in our systems. If we are unable to comply with all or a portion of your request, we will explain the reasons for declining to comply with the request.
If your request pertains to personal information we process as a service provider to our customers, we will direct you to submit your request to the customer on whose behalf we process your personal information.
Exercise Your Right to Opt-Out of Personal Information Sales or Sharing for Targeted Advertising
Unless you have exercised your right to opt-out, we may disclose or “sell” your personal information to third parties for monetary or other valuable consideration, or “share” your personal information to third parties for cross-context behavioral advertising purposes. The third parties to whom we sell or share personal information may use such information for their own purposes in accordance with their own privacy policies.
You do not need to create an account with us to exercise your right to opt-out. However, we may ask you to provide additional personal information so that we can properly identify you to track compliance with your opt-out request. We will only use personal information provided in an opt-out request to review and comply with the request. If you choose not to provide this information, we may only be able to process your request to the extent we are able to identify you in our data systems.
To exercise the right to opt-out, you may submit a request by clicking the links below:
At FRR, a QTC company, we take our responsibility to protect our customers’ data very seriously and are committed to protecting the privacy and accuracy of your confidential information. We apply industry-leading standards that align with the NIST Cybersecurity Framework (CSF) and NIST SP 800-171 (Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations) to protect your confidential information.
Following this risk-based approach, FRR performs an annual IT Controls risk assessment. FRR uses the results of this risk assessment to identify opportunities for improvement of existing IT controls and promptly implements any IT Controls needed to meet applicable industry, state, and federal laws and regulations. These regulations may include the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules as issued by the US Department of Health and Human Services (HHS) or any other laws that apply to our handling of your personal information.
FRR’s environment is protected with enterprise-grade security, including industry-leading security appliances. These appliances protect customer data from attacks targeting internet-facing applications and the underlying infrastructure.
Internal auditors and independent third-party assessors perform continuous IT and Cybersecurity risk assessments using the NIST 800-37 Risk Management Framework to maintain an Authorization to Operate (ATO) from various Federal Government Agencies. We also perform assessments of our IT and Cybersecurity measures in connection with meeting our obligations under the Sarbanes-Oxley Act. In adherence to these regulatory requirements, QTC’s IT General Controls for financial systems are evaluated by external auditors to ensure our systems’ security, availability, and processing integrity are operationally effective.
FRR’s environment is continuously monitored by our Security Operations Center (SOC). Our IT professionals and the Computer Security Incident and Response Team (CSIRT) are organized to coordinate, contain, eradicate, and recover from computer security incidents and coordinate customer notification. Furthermore, our Data Center partners utilize an independent, third-party cyber security firm that performs annual SOC 2 Audits for security compliance.