Privacy Policy

Effective Date: August 1, 2020 


Please note that by using this Site and/or our Services, you consent to the privacy practices of HCRM and the other terms set forth in this Privacy Policy. Use of this Site is also subject to your agreement to the HCRM Website Terms of Use. If you do not agree to the foregoing, or with HCRM’s Privacy Policy, use of this Site is not permitted.

Health Cost & Risk Management, LLC (“HCRM,” “we” or “us”) recognizes the importance of protecting the security and privacy of Personal Information – this is fundamental to our customers and to our business, and we take this obligation very seriously. 

This privacy policy (“Privacy Policy”) discloses the privacy practices of HCRM as they relate to Personal Information that we receive or collect from you or about you through this website and HCRM’s other websites which link to this Privacy Policy (individually and collectively, the “Site”) through which HCRM markets or provides access to its various products and services (“Services”). This Privacy Policy also applies to Personal Information we receive or collect from you or about you, generally. Please read the information below carefully. 

While this Privacy Policy does not apply to Protected Health Information (PHI), as defined in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and HIPAA Privacy Rule, HCRM takes numerous steps to safeguard the confidentiality and security of PHI, including entering into Business Associate Agreements with customers and third parties, where required by law, and by following reasonable and appropriate data security practices, such as those described in the section below entitled, “How We Protect Your Personal Information.”

We reserve the right to amend this Privacy Policy from time to time. We will notify you about significant changes in the way we treat Personal Information by sending a notice to the primary email address specified in your account if you are a user of our Services, by placing a prominent notice on the Site, and/or by updating this Privacy Policy as posted on the Site. Your continued use of the Site, and/or our Services after such modifications, will constitute your acceptance of the modified Privacy Policy. 

Processing of Data in the U.S. 

This Privacy Policy is intended to meet the laws and regulations of the United States. Despite the global nature of the Internet, HCRM makes no representation or warranty that any content, data or information made available on this Site or our Services are appropriate for or may be viewed or used outside the United States. Our servers and databases are located in the United States. Furthermore, HCRM makes no representation or warranty that its data security or privacy practices, safeguards or procedures will meet the requirements of any country’s or region’s laws or regulations other than the United States. Regardless of the country in which you reside or from which you access this Site, by visiting or using the Site or our Services, you unequivocally agree and consent to the collection, storage and processing in the United States of any information collected or obtained thereby, as necessary to provide this Site or our Services, or as stated in this Privacy Policy. You also agree that U.S. law governs this Privacy Policy and all of the foregoing activities. 

Information You Submit to Us and How We Use It 

You may choose to provide Personal Information to us when you provide it through the Site or through the use of our Services. You may contact and send Personal Information to us by completing an online form or sending us an email, whether to inquire about purchasing our Services, submit a request, respond to an email or blog posting, ask a question, apply for a job, or make a comment. We may use the information you provide to respond to your inquiry, contact you about your request, ask a question, provide announcements about products, services or future events, conduct surveys, consider your application for employment, and/or contact you for other reasons related to offering and improving our Services. 

In addition, we may also use Personal Information to operate, evaluate, and improve our business. Specific uses include developing new products and services; managing our communications; performing market research; advertising and marketing; determining the effectiveness of our advertising and marketing; analyzing our products, services, and websites; and administering our websites. We may also use the information to protect against and prevent fraud, claims, and other liabilities and to comply with or enforce applicable legal requirements, industry standards, and our policies and terms. In addition, we may use the information we obtain through the Site in other ways for which we provide specific notice at the time of collection. 

Information We Obtain by Automated Means 

When you visit our Site or use our Services, we may collect certain information by automated means using technologies such as cookies, non-cookie-based tokens, web server logs, and web beacons. Cookies are files that websites send to your computer or other Internet-connected device to identify your browser uniquely or to store information or settings in your browser. Non-cookie-based tokens are encoded URL-based identifiers that track email click-thru activity or time-sensitive password reset keys and will work in scenarios where cookies are disabled, or a session has not been initiated. Your browser may provide instructions on how to restrict or disable certain cookies. Please note, however, that without cookies, you may not be able to use all of the features of our Site or Services. In that event, you may contact us indicated in the “How to Contact Us” section below. 

Our web servers may log information such as your operating system type, browser type, domain, and other system settings, as well as the language your system uses and the country and time zone where your device is located. The web server logs may also record information such as the address of the web page that referred you to our Site and the IP address of the device you use to connect to the Internet. They may also log information about your interaction with the Site, such as which pages you visit. To control which web servers collect information by automated means, we may place tags called “web beacons,” which are small files that link web pages to particular web servers and their cookies. 

How We Use Information Obtained by Automated Means

We use information collected online through cookies, non-cookie-based tokens, web beacons, and other automated means to facilitate, customize and enhance visitors’ engagement with our Site, collecting statistics about your visits to the Site, and understanding the manner in which our visitors browse the Site. We also use the information to help diagnose technical and service problems, administer the Site, and identify visitors to the Site. We use clickstream data to determine how much time visitors spend on web pages of the Site, how visitors navigate through the Site, and how we may tailor the Site to meet the needs of our visitors. 

“Do Not Track” Signals 

Your browser settings may allow you to transmit a “Do Not Track” signal to websites and online services you visit. Like many other websites and online services, we do not currently process or respond to “Do Not Track” signals from your browser or to other mechanisms that enable choice. Both we and others (such as our service providers) may collect Personal Information about our visitors’ online activities over time and across third-party websites. 

Sharing Information Collected with Third Parties 

We do not share Personal Information we collect through our Site with third parties. In some cases, however, information may be collected automatically by our service providers through browser cookies in order to enable them to provide their services, e.g., assisting us in making available the functionality of our Site.

How We Protect Your Personal Information

HCRM employs several layers of security to protect Personal Information and our customers’ data: physical, application, and network. The physical layer is protected by need-to-know authorization provided only to the appropriate operations individuals. Additionally, the servers are caged within a room protected by secure access procedures. The application layer is secured with Thawte 128 bit SSL encryption technology so all communication with our Services is encrypted. The network layer is protected by industry-leading firewall technology and administered real-time to provide timely security patching. This layer is also monitored by intrusion-detection systems designed to detect unauthorized access. These safeguards are intended to protect Personal Information and our customers’ data to the extent reasonably possible and to ensure, to the extent reasonably possible, the proper and legal use of our Site and our Services. However, no data security system is impenetrable and HCRM cannot and does not guarantee or warrant the absolute security of any information we store, process or transmit over the Internet or otherwise, and it may be possible for third parties not under our control to intercept or access private information unlawfully. 

Notwithstanding anything else in this Privacy Policy, including any opt out instructions we receive from you, we may also disclose Personal Information without notifying you in the following circumstances: (i) in response to subpoenas, court orders or other legal process, or to establish or exercise our legal rights or defend against legal claims; (ii) when we believe it to be necessary in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, or violations of any agreement we have with you, and/or to protect our rights and property or those of others with which we do business; (iii) when we sell or license the Service (excluding usage rights granted to customers during the normal course of business) as an asset, or in the event of a sale, merger, corporate reorganization or other business consolidation or similar transaction, where user information may be among the transferred assets or disclosed; or (iv) when we have your prior consent to do so. 

Children and Privacy 

HCRM’s Site is not targeted toward, and we do not seek or desire to collect information from, children under the age of 13. We will not knowingly request information from persons under such age. You agree not to provide any Personal Information to us related to any child under the age of 13. 

Linked Sites 

For your convenience, some hyperlinks may be posted on our Site that link to other websites not under the control of HCRM. We are not responsible for these other websites and this Privacy Policy does not apply to the privacy practices of those sites. In addition, when you initiate a transaction on a website that our Site links to, even if you reached that site through our Site, the information you submit to complete that transaction becomes subject to the privacy practices of the owner of that linked site. You should read their privacy policies to understand how they use and protect Personal Information and other data that they collect. HCRM is not responsible for the privacy, security or other information practices, or any acts or omissions of its suppliers or any third parties, related to the operation of their websites or otherwise. 

What Choices Do You Have? / Opting Out 

We communicate with our customers on a regular basis via email, and we may also communicate by phone to resolve customer complaints or investigate suspicious transactions. We may use your email address to confirm your opening of an account, to send you notices regarding payments, or to send notices and other disclosures as required by law. Generally, customers cannot opt out of informational communications relevant to their accounts. 

Upon request, HCRM will provide you with information about whether we hold or process any of your Personal Information. In addition, we are interested in maintaining the accuracy, completeness and currency of this information. To inquire regarding the content of any of your Personal Information or to request any modifications, please contact us at or as otherwise described in the “How to Contact HCRM” section below. We will make reasonable efforts to update your Personal Information per your request. Under any circumstances, the sender of any communications to HCRM is responsible for the content and information contained therein, including its accuracy and truthfulness, and you agree that you will not knowingly provide to HCRM any information which is inaccurate or which you do not have the legal right to provide. 

Customers and visitors may also ask us at any time to remove their contact information (name and email address) from our list of those who wish to receive email advertisements from HCRM and our affiliated companies by simply sending such a request to or as otherwise described in the “How to Contact HCRM” section below. In addition, you may follow the unsubscribe instructions included in each promotional email. Once you opt out, we will honor your choice until you inform us otherwise. All requests made by to HCRM to update or delete any Personal Information of the requesting individual shall be responded to within a reasonable period not to exceed 45 days. 

California Privacy Rights

This section on California Privacy Rights applies to you if you are a natural person who is a resident of the State of California, to the extent the California Consumer Privacy Act of 2018 (CCPA) applies to HCRM.

HCRM is a Service Provider Under the CCPA

HCRM is a “service provider” to the “businesses” (each, as defined under the CCPA) that are its customers.  We may process Personal Information received from or transmitted to us by our customers through the use of our Services to provide support to our customers in the use of our Services, and to meet our contractual obligations to our customers as a service provider.  

HCRM only uses Personal Information for the purposes for which it was provided.  However, because we have no control over whether our customers sell any of your Personal Information, we urge you to read the privacy policies or statements on their respective websites.  

As a service provider under the CCPA, HCRM is not permitted to – and does not – retain, use, or disclose Personal Information obtained in the course of providing our Services except: (a) to perform the services specified in the written contract with the business (our Customer) that provided the Personal Information; (b) to retain and employ another service provider as a subcontractor, where the subcontractor meets the requirements for a service provider under the CCPA and its regulations; (c) for our internal use to build or improve the quality of our Services, provided that the use does not include building or modifying household or consumer profiles, or cleaning or augmenting data acquired from another source; (d) to detect data security incidents, or protect against fraudulent or illegal activity; or (e) for the following purposes: (i) to comply with federal, state, or local laws; (ii) to comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities; (iii) to cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law; or (iv) to exercise or defend legal claims.

HCRM has not sold and does not sell Personal Information, as contemplated by the California Consumer Privacy Act (CCPA).  Accordingly, your right under the CCPA to opt out of the sale of your Personal Information will not apply as it relates to HCRM.  

Your Rights Under the CCPA


Under the CCPA, if you are a California consumer, you have the following rights, among others:


  • The right to know what Personal Information about you a business has collected, disclosed or sold, subject to various exceptions and limitations.  More specifically, you have: (a) the right to request that a business that collects your Personal Information disclose to you the following, upon receipt of a verifiable request; (b) the categories of Personal Information it has collected about you within the preceding twelve months; (c) the categories of sources from which the Personal Information is connected; (d) the business or commercial purpose for collecting or selling Personal Information; (e) the categories of third parties with whom the business shares Personal Information; and (f) the specific pieces of Personal Information it has collected about you. 


  • The right to request that a business that sells your Personal Information, or that discloses it for a business purpose, disclose to you the following: (a) the categories of Personal Information that the business collected about you within the preceding twelve months; (b) the categories of Personal Information about you that the business sold and the categories of third parties to whom the Personal Information was sold, by category or categories of Personal Information, for each category of third parties to which the Personal Information was sold; and (c) the categories of Personal Information that the business disclosed about you for a business purpose.


  • The right, at any time, to direct a business that sells Personal Information about you to third parties not to sell your Personal Information.  This right may be referred to as the right to “opt-out.”


  • The right to request that a business delete any of the Personal Information it has collected about you.


  • The right not to have a business discriminate against you because you exercise any of your rights as a consumer under the CCPA, including, but not limited to, by: (a) denying goods or services to you; (b) charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties; (c) providing a different level or quality of goods or services to you; or (d) suggesting that you will receive a different price or rate for goods or services or a different level; or quality of goods or services, except that a business may charge you a different price or rate, if that difference is reasonably related to the value provided to the business by your data.

Categories of Personal Information 

Where you, as a California consumer, provide your Personal Information to one of our customers for which we act as a service provider, that Personal Information may fall into certain categories which our customer, as a business subject to the CCPA, is obligated to identify to you. These categories may include, without limitation: (a) identifiers, such as your name, email address, and postal address; (b) commercial information, including credit or debit card information, records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies; (c) internet or other electronic network activity information, including, but not limited to, IP address, device ID, browsing history, search history, and information regarding your interaction with our customer’s website, but the foregoing information will be collected through the use of cookies placed on your web browser or device or other technologies; or (d) inferences drawn from any of the Personal Information described above to create a profile about you as a consumer, reflecting your preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

Exercising Your Rights Under the CCPA

If you are a California consumer and wish to exercise your right under the CCPA to know what Personal Information our customer has collected from or about you (a “request to know”), or your right to request our customer to delete Personal Information it has collected from or about you (a “request to delete”), please contact our customer directly – the business which is directly obligated to you under the CCPA.  Because HCRM is a Service Provider to its customers, our customers are responsible for the storage, protection and disclosure to third parties of any of the above categories of Personal Information processed using our Services.  Please consult their privacy policies for information regarding the recipients and purposes of such disclosures.  As a business to which you provided Personal Information, our customers are solely responsible for how they protect and use your Personal Information you provide to them and for their compliance with the CCPA and other applicable laws and regulations.  

If we receive a “request to know” or a “request to delete” from you, as a California consumer, relating to Personal Information our customer has collected from or about you, HCRM will either act on behalf of our customer in responding to your request or inform you that we cannot do so because HCRM acts as a service provider to our customer, and that you must contact our customer.  In that case, we will provide you with information relating to our customer, the business on whose behalf we process your Personal Information.

HCRM is not responsible or liable for the obligations of our customers as businesses under the CCPA to which we provide or Services, nor for any other acts or omissions of our customers, including the security, accuracy, or quality of the Personal Information which may be processed by our Services but stored in our customers’ systems or those of a third party on behalf of a customer.  

HCRM will not discriminate against you in any way because you elect to exercise, or have exercised, any of your rights under the CCPA.

Please use the contact details below if you would like to access this Privacy Policy in an alternative format, exercise your rights under the CCPA as they relate to HCRM (if applicable), or designate an authorized agent to make a request on your behalf.  


Note to authorized agents acting on behalf of California consumers: If you are authorized to exercise rights on behalf of a California consumer and wish to do so as they relate to HCRM, please provide us with a copy of the consumer’s written authorization designating you as their agent.  HCRM will need to verify your identity and place of residence before complying with your request.


How to Contact Us 

If you have any questions or comments about this Privacy Policy or any issue relating to how we collect, use, or disclose Personal Information, or if you would like us to update information we have about you or your preferences, please email us at: or write to us at: Health Cost & Risk Management LLC, 690 Old Trail Road, Highland Park, IL 60035. 


Created 8/1/2020

Revised 4/11/2024