HEALTH SAVINGS ACCOUNT PRIVACY INFORMATION
This document supplements the HealthEquity, Inc. (“HealthEquity”, “we”, “our”, “us”) General Privacy Notice and only applies to health savings accounts (“HSAs”), including the web-only HSA investment advisor services offered by HealthEquity Advisors, LLC, a wholly owned subsidiary.
When you open an HSA with HealthEquity, you agree to the terms of our Health Savings Account Custodial Agreement ("Agreement", available here: Custodial Agreement). The Agreement confirms that your HSA is subject to the privacy and security protections of the Gramm-Leach-Bliley Act (“GLBA”) and that HealthEquity collects, processes, and discloses HSA information in accordance with the (a) GLBA Notice of Privacy Practices, and (b) HSA Data Sharing Practices, each described below.
GLBA NOTICE OF PRIVACY PRACTICES
The GLBA Privacy Rule defines nonpublic personal information (“NPI”) as any “personally identifiable financial information” that HealthEquity collects about an individual in connection with offering or providing HSA services. NPI includes any information that is not publicly available that (a) a consumer provides to HealthEquity (directly or through an employer or other agent) to apply for or obtain an HSA, (b) results from a transaction between the consumer and HealthEquity involving an HSA, or (c) HealthEquity otherwise obtains about a consumer in connection with providing HSA services. For example, NPI includes names, addresses, phone numbers, social security numbers, income, credit score, transaction information, information collected through an internet “cookie” or other tracking technology, and the mere fact that an individual has an HSA administered by HealthEquity. The GLBA Notice of Privacy Practices explains how we collect and protect NPI, and when it may be shared (e.g., for business purposes, such as transaction processing or with affiliates). The notice is available here: GLBA Privacy Notice. A paper copy was provided in your HSA welcome kit.
HSA DATA SHARING PRACTICES
Employer, Health Plan, or Insurance Company Disclosures
If you open or maintain an HSA through or in association with an employer, health plan, health insurance company, benefits administrator, benefits aggregator, or other entity, or those operating on behalf of such entities (each, an “Agent”), we may disclose HSA information, including but not limited to personally identifiable information, to your Agent related to the opening and maintenance of your HSA, and to ensure the security of our network and services, to protect against or prevent potential fraud or unauthorized transactions, or as otherwise permitted or required by law. When your Agent notifies us that your association with the Agent has been terminated, we will cease disclosing your information to that Agent, with a reasonable time for us to act on such notification.
If your Agent is subject to any rules of the U.S. Securities and Exchange Commission (“SEC”) that may indirectly or directly require the Agent to monitor your beneficial ownership of securities issued by clients of the Agent, we may disclose to your Agent the fact that you have or have not invested in securities through your HSA, the value of your ownership interest in such securities, detail regarding your transactions in such securities, and any other information that the Agent reasonably requests for purposes of facilitating its compliance with such SEC rules, unless you opt out of such sharing. To opt out, contact Member Services. Note that this opt-out only extends to the sharing described in this paragraph.
SSO or Links to Other Websites
Your Agent, retirement plan, or 401k recordkeeper, as part of a service offering, may have set up the capability whereby you can access the Agent’s retirement plan’s, 401k recordkeeper’s, or another third party’s website from our website without the need to enter your login credentials to access the third party’s website. This is often called “single sign on”. You may see a disclosure on our website that alerts you when you are leaving our website and accessing the website of the third party. If you have questions about this arrangement, please contact your Agent, retirement plan, or 401k recordkeeper.
Data Sharing Arrangements
Your Agent, retirement plan, or 401k recordkeeper, as part of a service offering and for your convenience, may have enabled functionality that would permit you to view your HSA information on the Agent’s, retirement plan’s, 401k recordkeeper’s, or another third party’s website or for other purposes that support the data sharing arrangement. If you have such an arrangement, we will share the information defined in the arrangement (such as account balance or investment information) that is necessary to provide the service with your Agent, retirement plan, 401k recordkeeper or another third party, which may be stored on their servers or systems. We are not responsible for the privacy and security practices of your Agent or another third party, and do not control their use or further disclosure of HSA information.
If you authorize the disclosure of HIPAA protected health information (“PHI”) to your HSA for personal tax recordkeeping purposes, it is no longer subject to HIPAA protections. Instead, the data is treated by HealthEquity as confidential HSA information subject to the provisions of the Agreement, the GLBA Notice of Privacy Practices, these HSA Data Sharing Practices, and our General Privacy Notice.
If you have any questions or comments about our HSA privacy and data sharing practices, please contact us at:
Mail: HealthEquity, Inc.
Attn: Privacy Officer
15 W. Scenic Pointe Drive
Draper, UT 84020
Last updated February 2022.