Consumer Health Data Privacy Policy
Effective date: March 5, 2026
Last updated: March 5, 2026
This Consumer Health Data Privacy Policy (“Health Data Policy”) supplements our general Privacy Policy and provides additional information specifically about how Rite Aid LLC (“Rite Aid,” “we,” “us,” or “our”) collects, uses, shares, and protects your consumer health data.
This Health Data Policy is provided to comply with the Washington My Health My Data Act (MHMDA), Nevada Senate Bill 370, and similar state health data privacy laws. If you are a resident of Washington State, Nevada, or another state with specific health data privacy requirements, this policy applies to you.
For residents of other states, please refer to our general Privacy Policy for information about our privacy practices.
Table of Contents
1. Definitions
For purposes of this Health Data Policy:
-
“Consumer health data” means personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status. This includes, but is not limited to:
- Individual health conditions, treatment, diseases, or diagnosis
- Social, psychological, behavioral, and medical interventions
- Health-related surgeries or procedures
- Use or purchase of prescribed medications
- Bodily functions, vital signs, symptoms, or measurements of the above
- Diagnoses or diagnostic testing, treatment, or medication
- Gender-affirming care information
- Reproductive or sexual health information
- Biometric data
- Genetic data
- Precise location information that could reasonably indicate a consumer’s attempt to acquire or receive health services or supplies
- Data that identifies a consumer seeking healthcare services
- “Sell” means the sharing, disclosing, or transferring of consumer health data for monetary or other valuable consideration.
- “Share” means the disclosure of consumer health data to a third party.
2. Consumer Health Data We Collect
In connection with providing the Rite Aid Service, we collect the following categories of consumer health data:
| Category | Examples | Collected? |
|---|---|---|
| Health conditions and diagnoses | Self-reported health history, symptoms, conditions disclosed in health questionnaires | Yes |
| Diagnostic testing and results | Blood test results, biomarker levels, lab panels ordered | Yes |
| Medications | Self-reported current medications (for lab test safety screening) | Yes |
| Biometric data | Not collected | No |
| Genetic data | Genetic test results (if ordered) | Yes (if applicable) |
| Reproductive/sexual health | STI test results, hormone panels (if ordered) | Yes (if applicable) |
| Gender-affirming care | Hormone level tests (if ordered) | Yes (if applicable) |
| Precise location | We do not collect precise location for health-related purposes | No |
| Mental health | Not collected through our Service | No |
3. Sources of Consumer Health Data
We collect consumer health data from the following sources:
3.1 Directly From You
- Account registration: Health-related information you provide when creating an account
- Health questionnaires: Responses you provide to screening questions before ordering lab tests
- Customer support: Health information you voluntarily share when contacting us
3.2 From Our Service Providers
- Laboratory partners: Lab test results transmitted from our CLIA-certified laboratory partners (Quest Diagnostics, Labcorp, and others)
- Physician network: Clinical observations or notes from independent physicians who review and authorize your lab orders
3.3 Information We Do NOT Collect
We do not:
- Purchase consumer health data from data brokers
- Collect health data from third-party apps or devices
- Infer health conditions from non-health data (such as purchase history)
- Use tracking technologies to collect health data from other websites
4. Purposes for Collecting Health Data
We collect and use your consumer health data for the following purposes:
| Purpose | Description |
|---|---|
| Providing the Service | Processing your lab test orders, coordinating with laboratories, delivering your results, and providing personalized health insights |
| Physician authorization | Enabling licensed physicians to review and authorize your lab orders |
| Customer support | Responding to your questions and resolving issues related to your orders or results |
| Service improvement | Analyzing aggregated, de-identified data to improve our Service (individual health data is never used for this purpose without anonymization) |
| Legal compliance | Complying with applicable laws, regulations, and legal processes |
| Safety and security | Protecting against fraud and ensuring the security of our Service |
We do NOT use your consumer health data for:
- Advertising or marketing purposes
- Sale to third parties
- Profiling or automated decision-making that produces legal or similarly significant effects
- Any purpose not disclosed in this policy without first obtaining your consent
5. How We Share Consumer Health Data
We share your consumer health data only with the following categories of third parties and only for the purposes described:
| Category of Recipient | Purpose | Examples |
|---|---|---|
| Laboratory partners | To perform your ordered lab tests | Quest Diagnostics, Labcorp |
| Physician network | To review and authorize your lab orders and results | Independent licensed physicians contracted to provide medical oversight |
| Cloud infrastructure providers | To securely store and process your data | Cloud hosting services with appropriate security certifications |
| Government/regulators | When required by law or legal process | Response to subpoenas, court orders, or regulatory inquiries |
Entities We Do NOT Share Health Data With
We do NOT share your consumer health data with:
- Advertising networks or platforms (Meta, Google Ads, etc.)
- Data brokers
- Employers
- Insurance companies
- Any third party for their own marketing purposes
6. We Do Not Sell Your Health Data
Rite Aid LLC does not sell your consumer health data. We have not sold consumer health data in the preceding 12 months, and we have no plans to sell consumer health data in the future.
We do not exchange your health data for monetary compensation or other valuable consideration with any third party.
7. Your Consent
7.1 How We Obtain Consent
Before collecting your consumer health data, we obtain your affirmative consent through a clear and conspicuous disclosure during the account creation process. This consent:
- Is separate from any other consents or terms
- Clearly describes the categories of health data collected
- Describes the purposes for collection
- Describes the categories of third parties with whom data may be shared
- Explains how you can withdraw consent
7.2 Withdrawing Consent
You may withdraw your consent to the collection and use of your consumer health data at any time by:
- Contacting us at [email protected]
- Closing your account through your account settings
- Submitting a request through our privacy request portal
Effect of withdrawal: If you withdraw consent, we will stop collecting new consumer health data from you. However, withdrawal will prevent you from using the Service, as health data collection is necessary to provide lab testing services. Withdrawal does not affect the lawfulness of processing conducted before you withdrew consent.
7.3 Consent for Specific Purposes
If we wish to use your consumer health data for a purpose not disclosed in this policy, we will obtain your separate, specific consent before doing so.
8. Your Rights
If you are a resident of Washington State, Nevada, or another state with applicable health data privacy laws, you have the following rights regarding your consumer health data:
8.1 Right to Know / Right to Access
You have the right to confirm whether we are collecting, sharing, or selling your consumer health data, and to access the specific consumer health data we have collected about you.
8.2 Right to Deletion
You have the right to request that we delete your consumer health data. Upon receiving a verified deletion request, we will delete your consumer health data within 30 days, unless an exception applies (such as legal retention requirements).
8.3 Right to Withdraw Consent
You have the right to withdraw your consent to the collection and processing of your consumer health data at any time, as described in Section 7.2.
8.4 Right to Non-Discrimination
We will not discriminate against you for exercising any of your rights under this policy. We will not:
- Deny you goods or services
- Charge you different prices or rates
- Provide you with a different level or quality of service
- Suggest that you may receive different treatment
8.5 Right to Appeal (Washington Residents)
If we deny your request to exercise any of the rights described above, you have the right to appeal our decision. To appeal, contact us at [email protected] with the subject line “Appeal of Privacy Request.” We will respond to your appeal within 45 days.
If you are unsatisfied with our response to your appeal, you may file a complaint with the Washington State Attorney General at:
- Website: www.atg.wa.gov/file-complaint
- Phone: 1-800-551-4636
9. How to Exercise Your Rights
9.1 Submitting a Request
To exercise any of your rights, you may:
- Email: [email protected]
- Text: 863-270-9911
- Mail: Rite Aid LLC, Attn: Privacy Office — Health Data Request, 30 N Gould St, Ste R, Sheridan, WY 82801
9.2 Verification
To protect your privacy, we must verify your identity before processing your request. We will ask you to provide:
- Your name and email address associated with your account
- Your date of birth
- Additional information if necessary to verify your identity
We will not require you to create an account to submit a request if you do not already have one.
9.3 Response Time
We will respond to your request within:
- Washington residents: 45 days (may be extended by an additional 45 days if reasonably necessary)
- Other residents: 45 days
If we need additional time, we will notify you of the extension and the reason.
9.4 Authorized Agents
You may designate an authorized agent to submit a request on your behalf. We will require:
- Written authorization signed by you
- Verification of the agent’s identity
- Verification of your identity
10. Data Security
We implement robust security measures to protect your consumer health data:
- Encryption: All health data is encrypted in transit (TLS 1.3) and at rest (AES-256)
- Access controls: Health data is accessible only to authorized personnel with a legitimate business need
- Audit logging: We maintain detailed logs of all access to health data
- Security assessments: We conduct regular security assessments and penetration testing
- Incident response: We maintain incident response procedures and will notify you of any breach affecting your health data as required by law
11. Changes to This Policy
We may update this Consumer Health Data Privacy Policy from time to time. If we make material changes, we will:
- Notify you by email (if you have an account with us)
- Post a prominent notice on our website
- Update the “Last Updated” date at the top of this policy
Material changes will not take effect until at least 30 days after notice is provided.
12. Contact Us
If you have questions about this Consumer Health Data Privacy Policy, wish to exercise your rights, or have concerns about how we handle your health data, please contact us:
Rite Aid LLC
Attn: Privacy Office
30 N Gould St, Ste R
Sheridan, WY 82801
Email: [email protected]
Text: 863-270-9911
Additional Information for Washington State Residents
This section provides additional disclosures required by the Washington My Health My Data Act (RCW 19.373):
- Categories of consumer health data collected: Health conditions, diagnostic testing and results, medications, and (if applicable) genetic data and reproductive/sexual health information. See Section 2 for details.
- Purpose for collection: To provide the Rite Aid Service, including processing lab orders, coordinating with laboratories, and delivering results. See Section 4 for details.
- Categories of third parties with whom data is shared: Laboratory partners, physician network, and cloud infrastructure providers. See Section 5 for details.
- How to exercise your rights: Contact us at [email protected] or text 863-270-9911. See Section 9 for details.
- Processor and contractor arrangements: We maintain written agreements with all service providers who process consumer health data on our behalf. These agreements prohibit service providers from (1) collecting, using, or retaining consumer health data for any purpose other than performing services for us, (2) selling or sharing consumer health data, and (3) combining health data with data obtained from other sources.
© 2026 Rite Aid LLC. All rights reserved.