epocrates Privacy Policy


Effective: December 29, 2022

Table of Contents

  1. Scope and Purpose
  2. What personal information do we collect?
  3. How do we collect your information?
  4. How do we use your information?
  5. How do we share your information?
  6. Retention and protection of data
  7. State consumer privacy rights
  8. Cookies and automated data collection technologies
  9. Social media and other integrations

I.Scope and Purpose

This privacy policy (“Policy”) describes how Epocrates, LLC and our parent companies, subsidiaries, and affiliated companies, including athenahealth, Inc. (“epocrates,” “we,” “our,” or “us”) may collect, use, and share information about you that we obtain through epocrates.com, epocrates Online, our epocrates mobile application(s), any communication mechanisms (e.g., emails or newsletters) from us, and other websites and/or applications of ours that display this privacy policy (“Services”). This Policy does not cover websites, applications, or services displaying different privacy statements/policies.

Return to top

II.What personal information do we collect?

Personal information is data that can be used to identify you. The types of personal information that we collect depends on your interactions with us. Over the last 12 months, we may have collected personal information that generally fall into the following categories:

Identifiers, such as your name, email address, or IP address.

Information contained in our customer records, such as postal address or telephone number.

Protected class information, such as age.

Commercial information, such as information regarding products or services you purchased.

Internet or other electronic network activity information, such as how you interact with our website, application, or advertisements.

Professional or employment information, such as your title or employer.

Geolocation information, such as your general location (e.g., city/state) which may be collected or derived from your IP address.

Inferences drawn from other personal information, such as a profile reflecting a person’s preferences, behavior, or characteristics.

Return to top

III.How do we collect your information?

We collect information you provide us.

  • When you create a new account in our mobile application, we may ask for your first and last name, email, creation of a password, occupation, and for your zip code. We will then present you with a list of Health Care Providers (“HCPs”) with your same name/zip code combination and available National Provider Identification (“NPI”) numbers, based on data from the National Plan & Provider Enumeration System (“NPPES”) registry. You will be asked to select the correct NPI profile that represents you. Once you claim your profile, we will ask about your specialty and any applicable sub-specialty to designate in your account;
  • When you create a new account or update an existing account in epocrates Online, we ask for your full name, email address(es), creation of password, work zip code, occupation, and specialty/subspecialty information (as applicable). You may also provide information related to the medical school you attended including the country, state, name, graduation year, former last name (as applicable), and date of birth. We may also ask you to provide other pieces of information, including, but not limited to, information related to your residency (including year(s) attended), information related to your practice, information related to your hospital affiliation, and your billing address. This process may also include a series of security related questions;
  • We collect date of birth when you participate in Continuing Medical Education (“CME”) programs offered through our Services;
  • We may ask you for other types of information like demographic information, for example, when you participate in a survey or product test or when you enter a contest or other promotional event;
  • We may also collect and track information related to your current and historic subscription status, search queries, discount codes used, and other interactions with the Services which may inherently be associated with other identifiable characteristics of you. For example, we may collect a discount code that is directly tied to your employer; · Through your interaction and use of epocrates.com and/or requests for information related to our Services, we may also collect the following information from you: first and last name, email address(es), phone, address including a zip code, employer/organization name, employment title, school affiliation information (as applicable), information you provide related to your interest in epocrates and our Services (for example, nature of your request, what product(s) you are interested in, and why you are interested in epocrates, number of licenses you are interested in, product interest, etc.), school affiliation information, and the text you enter into free text fields;
  • We may also collect any information you provide to us through use of the Services. For example, if you use the ‘Feedback’ functionality within the Services, we will collect the rating you provide as well as any information you enter the free text field.

We collect information automatically.

  • When you visit our website epocrates.com, use our Services, or interact with communications we may send to you in connection with your use of our Services (for example, emails or newsletters), some information is automatically collected. For example, when you visit or use our Services your computer's operating system, Internet Protocol (IP) address, access times, browser type and language, geo-location, and the website you visited before our site may be collected and logged automatically.
  • We also collect information in connection with your use of the Services and your interaction with the Services or your interaction with communications sent to you in connection with your use of our Services (including, but not limited to, your clicks and searches through your use of the Services, advertisements, your interaction with the content made available through the Services, messages and communications (e.g. emails or newsletters) surfaced through or in connection with your use of the Services (whether sponsored or not sponsored), emails, newsletters, push notifications, In App messages, or other messaging from us).
  • We may combine automatically collected information and/or information collected in connection with your use of the Services with other information we collect about you through your use of the Services or received from other 3rd party sources (for example, your NPI available data from NPPES). Your use of our Services or our website are treated as your consent to the automatic collection of the data described herein.
  • Additionally, when you use our Services or interact with communications sent to you in connection with our Services, we may automatically collect data about your device such as your device ID, type of device you use, operating system version, and information related to your use of the Services.
  • All of the data collection methods described in this section, “We collect information automatically”, are collectively referred to as “User Behavior Information.”

We receive information from third parties.

  • We may also collect additional information about you from third parties to assist us in providing you with Services. For example, we may obtain commercially or publicly available information about you from third parties or purchase email lists from third-parties for advertising and marketing purposes. We may also receive information from third-parties who provide services to us through web-beacons and other technologies or as otherwise discussed in this Privacy Policy and use such information for marketing, sales, and advertising purposes.

Return to top

IV.How do we use your information?

We use information collected (including User Behavior Information) through our Services for purposes described in this policy or for those purposes disclosed to you in our Services. For example, we may use your information to:

  • Operate and improve our Services;
  • Share information you provide to us and/or User Behavior Information with clients and prospective clients (for example, pharmaceutical companies and other advertising clients) about your use or interaction with the Services, interaction with promotional and non-promotional content contained within the Services, as well as interactions with communications you receive in connection with the Services (for example, emails and newsletters);
  • To provide you access to CME content through the Services;
  • Respond to your comments and questions and provide customer service;
  • Send you related information, including confirmations, invoices, technical notices, updates, security alerts, and support and administrative messages;
  • Better understand you so that we may tailor messaging and services to you based on your interests, preferences, needs, and specialties;
  • Communicate with you via email, alerts (push notifications and/or in app alerts), and other messaging outlets about commercial, non-commercial, sponsored, and non-sponsored information, FDA and product safety alerts, new drugs and pharmaceutical studies, and related information. By accepting the terms of this Policy, you are opting in to receiving such communications from us;
  • Send you information via email about products and services offered by us, our affiliates, and our partners. By accepting the terms of this Policy, you are opting in to receive such emails from us.
  • Send you invitations, by email or other means, to participate in market research survey opportunities. By accepting the terms of this Policy, you are opting in to receive such invitations from us;
  • Link or combine your information with other information we collect through our Services or information collected through your interaction with communications received in connection with the Services, with information receive from third parties.

Return to top

V.How do we share your information?

We share information outside of epocrates as follows:

  • With your consent;
  • With our third party vendors, consultants, agents, and other service providers with whom we contract to help us provide or improve our Services. For example, we may work with companies to host and maintain our data, provide messaging services, analyze our data or provide marketing assistance;
  • To provide our commercial clients and prospective commercial clients, such as pharmaceutical companies and their advertising agencies, with your information for audience or user matching purposes;
  • To provide our commercial clients and prospective commercial clients (for example, pharmaceutical companies and their advertising agencies) with your information when you engage with promotional and nonpromotional content (including related communications) through or in connection with our Services and information about the type of engagement (e.g., whether you viewed, interacted with or requested information about such promotional content);
  • To provide our clients, prospective clients, or third party vendors with aggregated information such as statistics about our customers, sales, product usage or traffic patterns, and related website or Services information as well as User Behavior Information in order to provide the Services;
  • To provide market research clients with your information when you engage in market research activities;
  • In connection with providing you access to CME content through the Services, your information and/or User Behavior Information will be shared with relevant Accrediting Organizations, Accredited Education Providers, Medical Education Companies and Medical Education Sponsors (collectively referred to as “Continuing Medical Education Partners”) who have funded, created, or distributed the CME content through the Services. An Accrediting Organization is a body that provides the criteria, policies, and standards to Accredited Education Providers. An Accredited Education Provider is an entity that has created medical education materials and has been given accreditation by an Accrediting Organization. A Medical Education Company participates in the coordination and distribution of accredited medical education content. A Medical Education Sponsor is a company or organization that provides funding to create medical education content;
  • If you post a comment or message in our blog or other public forums hosted by us, it will be shared publicly. We display personal testimonials of satisfied customers on our site in addition to other endorsements. With your consent we may post your testimonial along with your name;
  • To (i) comply with laws or to respond to lawful requests and legal process, (ii) to protect the rights and property of our agents, customers, and others including to enforce our agreements, policies, and terms of use or (iii) in an emergency to protect the safety of epocrates, its customers, or any person, and in certain situations, we may be required to disclose information in response to lawful requests by public authorities, including meeting national security or law enforcement requirements;
  • In connection with or during negotiation of any merger, financing, acquisition, or bankruptcy transaction or proceeding involving sale or transfer of all or a portion of our business or assets to another company.

Return to top

VI.Retention and protection of data

While we maintain your information, we protect it using administrative, physical, and technical security safeguards designed to protect your information. When we collect certain sensitive information (such as geolocation), we encrypt the transmission of that information using secure socket layer technology (SSL). Despite these measures, we cannot guarantee the security of the information we maintain about you.

We retain information for different periods of time depending on the purposes for which we collect and use it, as described in this Privacy Policy. We will not retain information for longer than needed to fulfill these purposes unless a longer retention period is required to comply with legal obligations. Also, there may be technical or other operational reasons where we are unable to delete or de-identify your information. Where this is the case, we will take reasonable measures to prevent further processing your information.

Return to top

VII.State consumer privacy rights

Rights for residents of applicable states

If you are a resident of a state with applicable consumer privacy laws, you may have the following rights:

  • To confirm whether we process your personal information.
  • To access your personal information.
  • To correct inaccuracies in your personal information.
  • To delete your personal information that we have obtained.
  • To receive a copy of your personal information in a portable and readily usable format.
  • To opt out of the sale or sharing of your personal information.
  • To opt out of the processing of your personal information for purposes of (i) targeted advertising or (ii) automated decision-making or profiling in furtherance of decisions that produce a legal or similarly significant effect on you.

If you live in a state that requires specific consent prior to processing your sensitive personal information for certain purposes, we will obtain such and you can withdraw your consent at any time.

Residents of applicable states may exercise the above rights by:

  • Submitting a request at www.athenahealth.com/consumer-privacy-request
  • Calling our toll-free number at 888-807-2076

We may ask you to provide us with information necessary to reasonably verify your identity before responding to your request. We will consider all requests and provide our response within the time period required by applicable law. Please note, however, that certain information may be exempt from such requests. If we deny your request in whole or in part, you may have the right to appeal the decision. In such circumstances, we will provide you with information regarding the appeals process.

Response Timing and Format

We endeavor to respond to a consumer request within forty-five (45) days of its receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing.

California Resident Privacy Notice

Below, please find the categories of information we may have collected about you in the last twelve months, the purposes for the collection, and the third parties with whom your personal information may have been disclosed, shared, or sold. For more information on these practices, please see Sections II-V.

Categories of personal information collected Purposes for the collection of personal information Third parties with whom personal information may have been disclosed, shared, or sold
  • Identifiers
  • Information
  • contained in our
  • customer records
  • Protected classes
  • Commercial information
  • Internet or other electronic network activity information
  • Professional or employment information
  • Geolocation data
  • Inferences drawn from other personal information
  • To provide the Services
  • To improve the Services
  • To personalize the Services
  • Marketing and advertising
  • Business operations
  • Where you have given us your consent
  • As required by applicable law
  • To evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets
  • Service providers.
  • Commercial clients (including prospective commercial clients). For example, pharmaceutical companies, media agencies that represent such pharmaceutical clients and medical societies as well as Continuing Medical Education Partners.
  • Third Party Partners
  • Where you have given us your consent 

If you are a California resident, you may have the following rights with respect to the personal information we process about you:

  • To request information about the categories of personal information we have collected about you, the categories of sources from which we collected the personal information, the purposes for collecting or sharing the personal information, the categories of third parties with whom we have shared or sold your personal information, and the specific pieces of personal information we have collected about you.
  • To request that we delete personal information that we have collected from you.
  • To request that we correct inaccurate personal information that we maintain about you.
  • To opt out of the sale or sharing of your personal information.

California residents may exercise the above rights by:

  • Submitting a request at www.athenahealth.com/consumer-privacy-request
  • Calling our toll-free number at 888-807-2076

Only you, or someone legally authorized to act on your behalf, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child.

We may ask you to provide us with information necessary to reasonably verify your identity before responding to your request. We may require you to use your e

perform such verification. We will consider all requests and provide our response within the time period required by applicable law. Please note, however, that certain information may be exempt from such requests. If we deny your request in whole or in part, you may have the right to appeal the decision. In such circumstances, we will provide you with information regarding the appeals process.

You may only make a consumer request for access or data portability twice within a 12-month period. We will not discriminate against you for exercising any of your rights.

Response Timing and Format

We endeavor to respond to a consumer request within forty-five (45) days of its receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing.

Any disclosures we provide will only cover the 12-month period preceding the consumer request's receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable.

Other California Privacy Rights

California's "Shine the Light" law (Civil Code Section § 1798.83) permits users of our Sites that are California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes in particular: Customers who are residents of California may request (i) a list of the categories of personal information disclosed by us to third parties during the immediately preceding calendar year for those third parties’ own direct marketing purposes; and (ii) a list of the categories of third parties to whom we disclosed such information. To make such a request, please write us at: Chief Compliance Officer, athenahealth, Inc. 311 Arsenal Street, Watertown, MA 02472. We may require additional information from you to allow us to verify your identity and we are only required to respond to requests once during any calendar year.

Return to top

VIII.Cookies and automated data collection technologies

Some of our Services use cookies and similar technologies (such as pixels and pixel tags, ad tags, Software Development Kits (“SDKs”) clear GIFs, session replay scripts, and Javascript). Cookies are small text files placed on your device that help the Services work and help us gather statistical information about how visitors use the Services, improve your experience, and maintain security.

Cookies also help us deliver advertisements, some of which may be tailored to your behaviors on the websites. We engage third parties to help us deliver these advertisements, and these third parties may collect your information over time and across our Services (and third party sites) in order to associate different devices you use and further gain insights into the goods and services that may interest you.

To exercise your options with respect to cookies, please select “Cookie Preferences” on the banner that is visible at the bottom of the website, or click link on the bottom of epocrates.com labeled, “Cookie Preferences”.

We may also use web beacons or clear.gifs. Web beacons or clear.gifs, and similar technologies are pieces of code placed on a web page to collect data on the users of a specific web page.

Server Logs and Widgets:

We may use web server logs. A web server log is a record of activity created by a computer that delivers certain webpages to your browser. Certain activities that you perform utilizing the Services may record information in server logs. For example, the server log may record the search term(s) you use, or the link you clicked on to bring you to the Services. The server log may also record information about your browser, such as your IP address and the cookies set on your browser.

We may also use widgets. A widget is generally an application that can be embedded in a webpage, and which can provide real-time information to the webpage. Widgets are often provided by third parties to enable collection of data about website usage.

We may use mobile analytics software to allow us to better understand the functionality of our Services. This software may record information such as, but not limited to, how often you use the application, the events that occur within the application, usage information, performance data, and where the application was downloaded from.

We or third parties with whom we may partner to provide certain features within our Services or to display advertising based upon your browsing activity use LSOs (Local Shared Objects), which are similar to cookies, to collect and store information. Various browsers may offer their own management tools for removing LSOs.

We may partner with third parties to either display advertising on our website and mobile applications or to manage our advertising on other sites. Our third party partners may use technologies such as cookies to gather information about your activities on this site and other sites in order to provide you targeted advertising based upon your browsing activities and interests.

Return to top

Some of our Services may have social media and technology integrations that are operated or controlled by separate entities. We also may collect information from third party social media and marketing companies to enhance our data sets. Some examples include:

  • Links. Our Services include links that hyperlink to websites, platforms, and other services not operated or controlled by us.
  • Liking, Sharing, and Logging-In. We may embed a pixel or SDK on our Services that allows you to “like” or “share” content on, or log in to, your account through social media. If you choose to engage with such integration, we may receive information from the social network that you have authorized to share with us. Please note that the social network may independently collect information about you through the integration.
  • Brand Pages and Chatbots. We may offer our content through social media. Any information you provide to us when you engage with our social media content is treated in accordance with this Policy. Also, if you publicly reference our Services on social media (e.g., by using a hashtag associated with epocrates in a tweet or post), we may use your reference on or in connection with our Services.
  • Platform Linking. Our Services may offer you the ability to link to another service or partner to retrieve certain data about your account on that service. For more information about how these platforms handle information about you, please refer to their respective privacy policies and terms of use.

Please note that when you interact with other entities, including when you leave our Services, those entities may independently collect information about you and solicit information from you. The information collected and stored by those entities remains subject to their own policies and practices, including what information they share with us, your rights and choices on their services and devices, and whether they store information in the U.S. or elsewhere. We encourage you to familiarize yourself with and consult their privacy policies and terms of use.

Return to top