Effective Date: June 30, 2024
Last Updated: June 30, 2024
This supplemental Consumer Health Data Privacy Policy ("Health Privacy Policy") applies to AvalonBay Communities, Inc., and explains our practices as to personal information that qualifies as "consumer health data" as such term is defined by Washington's My Health My Data Act1 and other U.S. consumer health data privacy laws, as each are amended and as and when they become effective including any regulations thereunder ("U.S. Consumer Health Data Privacy Laws") and supplements our U.S. State Privacy Notice. In the event of a conflict with any other privacy policy or notice, other than an express notice given at the time of collection, this Health Privacy Policy shall govern with respect to consumer health data.
I. Categories of Consumer Health Data Collected
The categories of consumer health data that we collect may include the following categories:
Individual health conditions, treatment, diseases, or diagnosis
Social, psychological, behavioral, and medical interventions
Health-related surgeries or procedures
Use or purchase of prescribed medication
Diagnoses or diagnostic testing, treatment, or medication
Data that identifies a consumer seeking health care services
Biometric data
Consumer health data that we or our processors infer, derive, or extrapolate based on other consumer health data, or on personal information generally
Bodily functions, vital signs, symptoms, or measurements indicating consumer health data
II.Sources of Consumer Health Data
We collect consumer health data from the following sources: you, your agents and representatives (for example, doctors who provide you a medical note or legal representatives in relation to a complaint or claim), governmental entities (for example, if you have filed a lawsuit against us, we may obtain information from official filings), our affiliates and related entities, and other third parties that may have your consumer health data in relation to the processing purposes described herein.
III. Purposes of Consumer Health Data Collection and Uses
We may collect consumer health data if you make a disability-related accommodation or modification request pursuant to the Fair Housing Act, a complaint or claim to or about us that may allege personal injury, an incident report involving personal injury, if you are involved in an accident or incident at one of our physical locations. For example:
• If you are present during an incident or accident that occurs at one of our physical locations (such as a safety or security incident), we may collect information about you, including consumer health data, in relation to this. This includes your physical characteristics that we observe through review of security footage, if available, to investigate the incident, some of which the U.S. Consumer Health Data Privacy Laws may classify as consumer health data.
• We may collect your consumer health data relating to personal injury claims in connection with incidents occurring at one of our physical locations. This could include all the categories of consumer health data in the list below.
• When you apply to become a resident and/or when you become a resident, we provide you the option to submit information for the purposes of us evaluating disability-related accommodations or modification requests pursuant to the Fair Housing Act. This information may fall under the "individual health conditions, treatment, diseases, or diagnosis" category the from the list below.
• For other resident service requests, or claims or complaints, we may collect some or all of the categories of consumer health data from the list above that you provide to us, or that we receive from third parties (e.g., your attorney, provider, etc.), and that are necessary for us to collect in addressing your request, claim or complaint.
We collect, use, and disclose your consumer health data to respond to your requests for resident support or service, such as disability-related accommodation or modification requests, to address your complaint, or to establish, exercise, or defend a legal claim ("Direct Purposes"). We may also collect, use, and disclose your consumer health data to prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any activity that is illegal under applicable state law or federal law; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action that is illegal under applicable state law or federal law ("Special Purposes").2 This includes maintaining business and regulatory records related to such purposes.
IV. Sharing of Consumer Health Data with Third Parties and Affiliates
We share consumer health data with third parties in limited circumstances, as follows:
• Vendors that are classified as "processors" under the U.S. Consumer Health Data Privacy Laws which process consumer health data to assist us in providing services requested by consumers, and for the other purposes described in this Health Privacy Policy.
• Our other agents and contractors who assist us with the processing purposes described in this Health Privacy Policy, such as legal representatives who assist us with complaints involving consumer health data.
• If your request, claim or complaint, or an incident or accident, relates to one of our third party on-site management services (e.g., third party security services that patrol some of our communities and/or our concierge services), we will share your personal information, including any consumer health data that is relevant to your request or complaint, with the applicable third party so that they can respond to your request, claim or complaint, or assist us with doing so.
• If your request, claim or complaint, or an incident or accident, relates to one of our affiliated or related entities, we may share your consumer health data with such affiliates or related entities.
• Assignees or potential assignees as part of an acquisition, merger, asset sale, or other transaction where another party assumes control over all or part of our business.
• Other parties with your consent.
V. Categories of Consumer Health Data Shared
We may share all of the categories of consumer health data that we collect, which as discussed above depends on the circumstances under which we collect it. We do not sell consumer health data.
VI. Consumer Health Data Rights
Subject to applicable law, consumers that are provided rights under U.S. Consumer Health Data Privacy Laws may have the following rights related to your consumer health data:
• Right to confirm processing of consumer health data and access to such data
• Right to delete
• Right to withdraw consent (from processing which requires your consent)3
• Right to appeal our refusal to act on a request within a reasonable time after you receive our decision. You may appeal our decision regarding your request by following the instructions in our response to your request. If your appeal is unsuccessful, you can raise a concern or lodge a complaint with the Washington State Attorney General at http://www.atg.wa.gov/file-complaint.
We may limit your request as necessary for us to complete or document a Direct Purpose or Special Purpose.
You may request to exercise these rights by visiting our Consumer Rights Request page here. Please note, as required under Washington's My Health My Data Act, we take commercially reasonable efforts to authenticate your request before we process your request. If we believe we need further information to authenticate your request, we may ask you to provide additional information to us. 4
Pursuant to the requirements of Washington's My Health My Data Act, we will respond to your privacy requests free of charge, up to twice annually. If requests are manifestly unfounded, excessive, or repetitive, we may charge a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. 5
VII. Changes to this Health Privacy Policy
If we change this Health Privacy Policy, we will post the revised version here and change the last updated date (the date it applies from) and/or contact you directly where we deem appropriate to do so under applicable law. You should check here regularly for the most up-to-date version of this Health Privacy Policy.
VIII. Contact Us
If you have any questions about this Health Privacy Policy or practices described in it, you may contact us in the following ways:
Postal Mail:
AvalonBay Communities, Inc.
Attn: Privacy/Legal Department
4040 Wilson Blvd., Suite 1000