How We Handle Your Personal Information
This policy sets out what data we collect when you visit department-of-health.org/, why, who we share it with, how long we keep it, and the rights you have under California, Virginia, Texas, Florida, Colorado, Connecticut, and other state privacy laws. Read it alongside our Cookie Policy and Disclaimer.
What’s on this page
1. Who We Are
department-of-health.org/ is an independent informational and educational directory of U.S. state departments of health, vital records offices, restaurant inspections, immunization information systems, and healthcare facility licensing. It is operated as a privately-owned editorial publication. We are not affiliated with HHS, CDC, FDA, CMS, HRSA, NIH, SAMHSA, IHS, ASPR, OCR, OIG, ASTHO, NACCHO, CSTE, APHL, or any state or local health department.
For all privacy and data inquiries, contact: info@department-of-health.org
2. HIPAA Carve-Out โ Critical to Understand
The HIPAA Privacy Rule (45 C.F.R. Parts 160 and 164) and Security Rule apply to "covered entities" โ health plans, healthcare clearinghouses, and most healthcare providers โ and to their "business associates." department-of-health.org/ is none of these. We do not collect, store, transmit, or maintain Protected Health Information (PHI) in the technical HIPAA sense. We do not have a physician-patient or hospital-patient relationship with you. We are an editorial directory, not a healthcare provider.
This carve-out matters because it means HIPAA does not give you specific rights against us โ but it also means we will never be in a position where someone else’s PHI ends up on our site through our action. If you send us a message that contains health information about yourself or someone else, we treat that information confidentially and limit access to staff who need to respond, but we do not promise HIPAA-equivalent protection. Please do not send us PHI โ not your medical records, not your diagnosis, not test results, not prescriptions. If you want to file a HIPAA complaint about a healthcare provider or health plan, that goes to the HHS Office for Civil Rights at hhs.gov/ocr, not to us.
State health departments are typically HIPAA covered entities for the healthcare they provide directly (clinics, immunization administration, public-health labs) โ and your interactions with the state agency itself are governed by HIPAA. Our site, which only describes how to reach those agencies, is not.
3. FCRA Non-CRA Position
The Fair Credit Reporting Act (15 U.S.C. ยง 1681 et seq.) regulates "consumer reports" used for "permissible purposes" โ primarily employment, credit, insurance, and tenant screening. department-of-health.org/ does not assemble, evaluate, or sell consumer reports. We do not provide "background checks." We do not provide reports for employment, credit, insurance, tenant-screening, healthcare-credentialing, or any other FCRA-permissible purpose.
If you need an FCRA-compliant background check on a healthcare professional or any other purpose, use a CRA licensed for that purpose. Information published on our site is general informational content drawn from public records and authoritative public sources โ it is not a “consumer report” in the FCRA sense.
4. What Information We Collect
We collect only what’s necessary to operate the site:
| Category | Examples | How collected |
|---|---|---|
| Server logs | IP address (truncated), user-agent, request path, response code, timestamp | Automatic, every request |
| Analytics | Page views, time on page, click paths, referrer (aggregated) | Google Analytics 4 if you consent |
| Cookie preferences | Your accept/reject choice for analytics and advertising | Cookie banner |
| Functional preferences | Selected state, font size, accessibility preferences | Local browser storage |
| Email content | Anything you send to info@department-of-health.org | Direct email from you |
| Advertising data | Frequency capping, ad measurement | Google AdSense if you consent |
We do not collect: your name, address, phone number, date of birth, Social Security Number, or any health information unless you choose to email it. We do not require account creation. We do not run client-side fingerprinting beyond what is necessary for security and bot mitigation through Cloudflare.
5. Why We Collect It
- To operate the site โ load pages, prevent fraud, mitigate bots and abuse
- To remember your choices โ cookie consent, accessibility preferences, selected state
- To understand what’s useful โ aggregate analytics on which state pages and walkthroughs are read most
- To support display advertising โ frequency capping and basic measurement, with personalised advertising only where you have consented
- To respond to your messages โ when you email us
6. Legal Bases & State-Law Framework
The legal foundation for processing depends on your jurisdiction. For visitors in states with comprehensive privacy laws (CCPA/CPRA in California, VCDPA in Virginia, CPA in Colorado, CTDPA in Connecticut, UCPA in Utah, TDPSA in Texas, FDBR in Florida, OCPA in Oregon, and others), processing is based on (a) the necessity of providing the requested service, (b) our legitimate interest in operating the site safely and improving it, and (c) your consent for analytics and advertising cookies.
8. How Long We Keep Information
| Data type | Retention |
|---|---|
| Server logs (security) | 30 days, then aggregated |
| Analytics data | 14 months (default GA4 retention) |
| Cookie consent record | 12 months from when set |
| Email correspondence | 3 years from last contact, then deleted |
| Functional preferences | Until you clear browser data |
9. Your Rights Under U.S. State Privacy Laws
Comprehensive privacy laws across U.S. states give residents specific rights. The exact rights depend on your state of residence โ the table below summarises the main rights under the most-cited state laws.
| State / Law | Citation | Key rights |
|---|---|---|
| California (CCPA / CPRA) | Cal. Civ. Code ยง 1798.100 et seq. | Know, delete, correct, opt-out of sale/sharing, limit use of sensitive information, non-discrimination |
| Virginia (VCDPA) | Va. Code ยง 59.1-575 et seq. | Access, delete, correct, portability, opt-out of targeted advertising / sale / profiling |
| Colorado (CPA) | C.R.S. ยง 6-1-1301 et seq. | Access, delete, correct, portability, opt-out of targeted advertising / sale / profiling |
| Connecticut (CTDPA) | Conn. Gen. Stat. ยง 42-515 et seq. | Access, delete, correct, portability, opt-out of targeted advertising / sale / profiling |
| Utah (UCPA) | Utah Code ยง 13-61 | Access, delete, portability, opt-out of targeted advertising / sale |
| Texas (TDPSA) | Tex. Bus. & Com. Code Ch. 541 | Access, delete, correct, portability, opt-out of targeted advertising / sale / profiling |
| Florida (FDBR) | Fla. Stat. ยง 501.701 et seq. | Access, delete, correct, portability, opt-out of targeted advertising / sale |
| Oregon (OCPA) | ORS Ch. 646A | Access, delete, correct, portability, opt-out of targeted advertising / sale / profiling |
| Other states | Various | Iowa, Tennessee, Indiana, Montana, New Jersey, Delaware, New Hampshire, Kentucky, Maryland, Minnesota, Nebraska, Rhode Island and others have or are implementing comparable laws |
To exercise any right, email info@department-of-health.org with subject line “Privacy rights request” and your state of residence. We respond within 45 days (extendable to 90 days where allowed for complex requests). We may need to verify your identity to protect against fraudulent requests.
10. Children
department-of-health.org/ is not directed to children under 13. The federal Children's Online Privacy Protection Act (COPPA, 15 U.S.C. ยงยง 6501โ6506) imposes specific obligations on operators that knowingly collect personal information from children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided personal information through the site, email info@department-of-health.org and we will delete the information promptly.
11. Security
We use industry-standard technical and organisational measures to protect information:
- HTTPS/TLS encryption for all site traffic
- Cloudflare for DDoS and bot mitigation
- Access controls โ only authorised editorial staff can access logs and email
- Periodic security review of hosting and email infrastructure
- No on-site collection of payment card information, Social Security Numbers, or health records
No internet transmission or storage system is perfectly secure. If we discover a breach affecting personal information, we will notify affected users in accordance with applicable state breach-notification laws.
12. International Visitors
Our site is operated from and intended for visitors in the United States. If you visit from outside the U.S., your information will be transferred to and processed in the U.S. We do not market to or knowingly collect data from EU/EEA, UK, or other non-U.S. visitors as a primary audience, but we do honour Global Privacy Control (GPC) signals and reasonable rights requests from visitors regardless of location.
13. Changes to This Policy
We update this policy when our practices change or when applicable laws change. Substantive changes are flagged at the top of the page with a new “Last reviewed” date and, for material changes, a notice on the site for 30 days.
14. Contact
For any privacy or data-rights question, email info@department-of-health.org with subject line “Privacy” or “Privacy rights request” โ see Contact Us for the full list of channels.
Have a Privacy Question or Rights Request?
Email us with subject line “Privacy rights request.” We respond within 45 days as required by California, Virginia, Colorado, Connecticut, Texas, Florida, Oregon, and other state privacy laws.
๐ง info@department-of-health.org