Privacy Policy

Effective Date: 24-September-2025
Last Updated: 24-September-2025

Who We Are

Ethica Pharmacy Advisors (“Ethica,” “we,” “us,” or “our”) provides pharmacy consulting and advisory services, including Pharmacy Consulting Services, Custom Request for Proposal (RFP) Services, Auditing Services, Implementation Support, and Analytics & Reporting.

This Privacy Policy explains how we collect, use, disclose, and protect information when you interact with us, visit our websites, or receive our services (collectively, the “Services”).

For website, marketing, recruiting, vendor management, and our internal operations, Ethica acts as an independent data controller.

For client engagements involving member claims, eligibility, or other protected health information (PHI), Ethica typically acts as a HIPAA Business Associate and/or processor on behalf of the covered entity. In those cases, our use of data is governed by our contracts (e.g., Business Associate Agreements (“BAAs”), Data Processing Agreements (“DPAs”)) and applicable law.

If anything in a Statement of Work (SOW), consulting agreement or other engagement contract conflicts with this Policy, the contract supersedes this policy.

Scope

This Policy applies to:

  • Websites and online properties operated by Ethica that link to this Policy (the “Sites”).
  • Client-facing services described in Section 5.
  • Communications with us (email, phone, web forms, events).
  • Vendors and partners interacting with us.

This Policy does not replace the Notice of Privacy Practices (“NPP”) issued by covered entities (e.g., health plans). If you are a plan member, consult your plan’s NPP for your HIPAA rights. Ethica, as a Business Associate, supports covered entities in fulfilling HIPAA obligations.

Key Definitions

Personal Information (PI)/Personal Data: Information that identifies or relates to an identifiable individual.

Protected Health Information (PHI): Individually identifiable health information as defined by HIPAA.

De-identified Data: Data that does not identify an individual and cannot be re-identified, including data de-identified according to HIPAA standards.

Sensitive Personal Information (SPI): Categories such as health data, government identifiers, precise geolocation, financial account details, race/ethnicity (where applicable), etc., as defined by applicable laws.

Controller/Business Associate vs. Processor/Subprocessor: Roles assigned by privacy laws and contracts that determine who decides purposes and means of processing.

Sources of Information

We may collect information from:

  • You directly (contact forms , emails, calls, meetings, proposals, contracts).
  • Employers/plan sponsors/third-party administrators (TPA)/pharmacy benefit managers (PBM) when we are engaged to perform services.
  • Third parties such as PBMs, carriers, rebate aggregators, manufacturers, consultants, auditors, and data processors engaged by you or us.
  • Publicly available sources (registries, professional directories).
  • Automated technologies on our Sites (cookies, analytics, logs).
  • Government and regulatory bodies (for compliance and audit purposes).

What We Collect (By Service Line)

Below are typical categories; actual data collected depends on your engagement and contracts.

Pharmacy Consulting Services

(Pharmacy Diagnostic, Pharmacy Directorship, contract integrity & clinical expertise)

  • Client & Business Contacts: Names, titles, work email, phone, employer, role, meeting notes.
  • Plan & Contract Data: PBM contracts, pricing terms, formularies, network design, utilization management rules, plan design attributes.
  • Claims & Eligibility Data (may include PHI/SPI): Member IDs, eligibility periods, prescriber National Provider Identifier (NPI), National Drug Code (NDC), fill dates, quantity, days’ supply, pharmacy NPI, copay/coinsurance, gross/net cost, dispensing fees, clinical flags (e.g., prior auth, step therapy), and potentially additional data as described under claims data related to Custom RFP Services.
  • Performance & Financial Data: Trend diagnostics, cost drivers, clinical opportunities, savings projections, repricing models, audit findings (if combined with other services).
  • Communications & Documentation: Statements of work (SOWs), BAAs/DPAs, meeting artifacts.
Custom RFP Services

(Vendoragnostic RFP design, vendor selection support, realtime repricing)

  • Claims data (PHI may apply): claim ID, plan ID, NDC, drug name, fill date, drug channel indication, drug type, specialty indicator, compound indicator, maintenance indicator, formulary indicator, formulary tier, Dispense as Written (DAW) code, member ID, pharmacy NABP/NCPDP ID, pharmacy NPI, pharmacy name, metric quantity dispensed, days supply, paid ingredient cost, dispensing fee, sales tax, gross cost, member cost, plan cost, unit Average Wholesale Price (AWP), total AWP, usual and customary (U&C) cost, pricing basis (AWP, U&C, MAC), Limited Distribution drug list, Specialty drug list.
  • RFP Inputs: Requirements, medical/pharmacy benefit plan details, employee/member counts, geographic/pharmacy network needs, plan design preferences.
  • Vendor Submissions: Proposals, Best and Final Offers (BAFO), pharmacy cost documents, guarantees, rebates, service level commitments, clinical program summaries – specialty drug copay assistance, traditional drug copay assistance, prior authorization, quantity limits, step care edits, high cost low value drug lists, and PBM Contract Score.
  • Comparative Analyses: Repricing of client utilization data under submitted vendor proposals (often de-identified or limited data sets where possible).
  • Contacts: Vendor and client contact details, communications.
Auditing Services

(Discount Validation Audits; Rebate Contract Audits)

  • Claims Data (PHI/SPI may apply): 100% claims files, unit costs, AWP/Wholesale Acquisition Cost (WAC) references, discounts, dispensing fees, DAW, Maximum Allowable Cost (MAC) lists, ingredient cost basis, audit trails, Limited Distribution Drug (LDD) and Exclusive Distribution Drug lists, Specialty drug lists with rates, brand over generic drug lists, audit payout reports
  • Rebate Records: Manufacturer formulary status, utilization qualifiers, plan design attributes, rebate eligibility and payouts, aggregator statements.
  • Contract Artifacts: PBM and rebate agreements, amendments, pricing appendices, plan design documentation, drug formularies, pharmacy network lists.
  • Findings & Workpapers: Discrepancies, variance analysis, remediation recommendations.
Implementation Support

(PBM transitions, contract negotiation, test claims, preimplementation audits)

  • Eligibility Files (PI/PHI): Member/demo data as required for enrollment and test claims (e.g., member ID, coverage tier, effective dates; we recommend minimum necessary).
  • Plan Configuration Data: Plan design rules, codes, accumulators, formulary selections, PBM Clinical Program selections.
  • Project Communications: Project plans, meeting notes, issue logs, test scripts, test results, employer (plan sponsor) & member communications including letters, flyers, and booklets.
  • Vendor Contacts & Technical Details: File specifications, connectivity details, error reports.
Analytics & Reporting

(Quarterly dashboards, contract performance tracking)

  • Aggregated & De‑identified Metrics: Performance vs. guarantees, trend lines, outlier detection.
  • Client‑Authorized Identifiable Data (if needed): Member segment insights, program eligibility lists (we minimize identifiers where possible).
  • Dashboard Access Logs: Authorized user accounts, role-based permissions, activity logs.
Website, Events & General Operations
  • Site Usage: IP address, device/browser, pages viewed, timestamps, referrers, cookie IDs; may include analytics from third parties.
  • Inquiries/Subscriptions: Names, email addresses, company, role, preferences.
  • Vendor Management: Business contact data, contract, and payment details.

We use the minimum necessary data for the stated purposes and strongly prefer de‑identified or limited data sets when feasible. We apply de‑identification or irreversible aggregation where feasible to extend utility while reducing privacy risk.

How We Use Information (Purposes)

We process information to:

  • Deliver services you request, including diagnostics, RFPs, audits, implementation, analytics, and advisory.
  • Validate contract performance (e.g., discount guarantees, rebate accuracy).
  • Model and reprice according to client‑authorized rules and scenarios.
  • Manage transitions (eligibility, test claims, configuration validation).
  • Provide Reporting & Dashboards (including aggregated or de‑identified insights).
  • Secure Our Systems (access control, monitoring, fraud/waste/abuse detection).
  • Comply with Laws & Contracts (HIPAA, BAAs, DPAs, financial and regulatory requirements).
  • Operate Our Business (billing, account management, vendor oversight).
  • Communicate about updates, events, thought leadership (you can opt out of marketing at any time).
  • Improve Services (quality assurance, training, product enhancement).
  • Defend Legal Claims and protect rights, privacy, safety, and property.

How We Share Information

We disclose information only as permitted by law and contract, including:

  • Your Authorized Parties: PBMs, TPAs, carriers, rebate aggregators, actuaries, auditors, counsel, and other vendors designated by you.
  • Subprocessors/Service Providers: Cloud hosting, data storage, analytics, security, email, project tools—bound by confidentiality and data protection obligations.
  • Professional Advisors & Insurers: Legal, tax, compliance, insurance.
  • Regulators & Law Enforcement: Where required by law or to protect rights and safety.
  • Business Transfers: In mergers and acquisitions, financing, reorganization.
  • De‑identified or Aggregated Data: For benchmarking, analytics, and reporting that does not identify individuals.

We do not sell or share Personal Information for cross‑context behavioral advertising (as defined by U.S. state privacy laws). If this ever changes, we will update this Policy and provide required opt‑out mechanisms.

Cookies and Online Tracking

We use cookies and similar technologies to operate the Sites, measure performance, and improve user experience. Please review our Cookie Policy for more information.

Retention

We retain information only as long as necessary for the purposes described or as required by law and contract. Typical retention considerations:

  • Client Data: Sixty (60) days, subject to contractual and legal requirements.
  • Claims/Audit Workpapers: Ten (10) years, subject to BAAs, DPAs, and legal hold.
  • Contracts & Financial Records: Ten (10) years, to meet regulatory/recordkeeping requirements.
  • Data Access Logs: One (1) year, for security and auditability.
  • Marketing & Website Data: As short as practicable, per consent and opt-out preferences.

Security

We implement administrative, technical, and physical safeguards, including, as appropriate:

  • Access Controls & Least Privilege (role-based access, MFA)
  • Encryption in transit and at rest for data
  • Network & Endpoint Security (segmentation, EDR, vulnerability management)
  • Monitoring & Logging (audit trails, tamper detection)
  • Secure Development & Change Management
  • Vendor Risk Management (due diligence, DPAs/BAAs)
  • Employee Training & Confidentiality
  • Incident Response & Breach Notification consistent with applicable laws (e.g., HIPAA after discovery without unreasonable delay).

Your Privacy Rights

Depending on your location and role, you may have rights to:

  • Access/Know the personal information we hold about you.
  • Correct inaccuracies
  • Delete/Erase certain data.
  • Portability (receive data in a portable format)
  • Restrict/Object to certain processing.
  • Opt Out of sale/sharing and targeted advertising (where applicable)
  • Limit Use/Disclosure of Sensitive PI (where applicable)
  • Withdraw Consent (where processing is based on consent)
  • Non‑Discrimination for exercising your rights.

How to Exercise Rights

If your data is processed as part of a client engagement (e.g., PHI in claims): Please contact your plan sponsor/covered entity. Ethica, as Business Associate/processor, will assist them in responding.

Children’s Privacy

Our Services are not directed to children under 13 (or the applicable age of digital consent). We do not knowingly collect PI from children via our Sites. PHI processed for plan members is handled under HIPAA/contractual frameworks via the plan sponsor or covered entity.

Role‑Specific Notices

Business Associate / Processor: For PHI or client‑controlled personal data, Ethica processes data only on documented instructions and the minimum necessary to perform contracted Services, implements safeguards, assists with audits/assessments, and supports incident response and data subject requests as required.

Controller Activities: For our Sites, marketing, and vendor onboarding, Ethica determines purposes/means consistent with this Policy and applicable law.

HIPAA Addendum

This Addendum applies when Ethica acts as a Business Associate to a HIPAA Covered Entity (e.g., plan sponsor or health plan) or another Business Associate. If there is a conflict between this Addendum and Ethica’s general Privacy and Security Policy for PHI-related engagements, this Addendum governs.

Key Terms: “Protected Health Information” (PHI), “electronic PHI” (ePHI), “Business Associate,” “Covered Entity,” “Use,” and “Disclosure” are defined by 45 C.F.R. Parts 160 and 164.

Permitted Uses & Disclosures of PHI

Ethica may use or disclose PHI only:

  • As permitted by the applicable Business Associate Agreement (BAA) and this Addendum.
  • As required by law.
  • For internal management/legal responsibilities (with required safeguards).
  • For data aggregation services, if authorized.

Ethica applies the Minimum Necessary standard to all PHI uses and disclosures, except where HIPAA exempts it (e.g., disclosures to individuals, HHS, or as required by law). De-identified data or Limited Data Sets (LDS) are used where feasible, under HIPAA-compliant methods.

Ethica does not sell PHI or use it for marketing without valid HIPAA authorization. If marketing involves remuneration, the authorization will disclose this.

Support for Individual Rights

Ethica will assist Covered Entities in fulfilling individual rights under HIPAA, including:

  • Access, inspection, and copying of PHI (45 C.F.R. §164.524).
  • Amendment of PHI and incorporation of approved changes (45 C.F.R. §164.526).
  • Accounting of non-TPO disclosures, with a six-year lookback (45 C.F.R. §164.528).
Subcontractor Compliance

Ethica ensures all subcontractors handling PHI:

  • Enter into BAAs.
  • Comply with HIPAA Privacy and Security Rules.
  • Are subject to appropriate oversight and incident reporting.
Subcontractors & Downstream Compliance

Ethica will ensure all subcontractors that create, receive, maintain, or transmit PHI on Ethica’s behalf enter BAAs and comply with applicable HIPAA Security/Privacy requirements. Ethica will also report security incidents to the Covered Entity as required by the Security Rule.

Security Program (HIPAA Security Rule)

Ethica maintains safeguards aligned with HIPAA’s Security Rule, including:

  • Administrative: Risk analysis, workforce training, sanctions, activity review.
  • Physical: Facility access controls, workstation security.
  • Technical: Role-based access, encryption (in transit and at rest), audit logs, transmission security.
  • Contingency Planning: Backup, disaster recovery, emergency-mode operations, testing.
  • Documentation: Maintained per 45 C.F.R. §164.308–316.
Breach Notification

If Ethica discovers a breach of unsecured PHI:

  • Notification will be made to the Covered Entity without unreasonable delay, and no later than sixty (60) calendar days from discovery.
  • Ethica will provide the information required under 45 C.F.R. §164.404.
  • A breach risk assessment (four-factor test) will be conducted unless the Covered Entity opts to notify without assessment.
  • Documentation will be retained to meet the burden of proof (45 C.F.R. §164.414).
Documentation & Retention

Ethica retains HIPAA-related documentation (e.g., policies, BAAs, risk assessments, disclosure logs, breach records) for at least six (6) years from creation or last effective date, or longer if required by law or contract.

Department of Health & Human Services (HHS) Access

Ethica will make its internal practices, books, and records related to PHI available to the Secretary of HHS upon request for compliance review.

Discount Validation & Rebate Audits Addendum

  • Data Types: Full claims extracts; formulary placement; DAW codes; MAC lists; rebate eligibility rules; aggregator statements; prescriber/pharmacy NPI.
  • Purpose: Verify accurate application of discounts/fees and rebate payments against contract terms.
  • Methodology: Deterministic and rules‑based validation; variance analyses; findings reports with remediation recommendations.
  • Safeguards: Segregated environments; restricted access to PHI; strong audit logging; minimum necessary extracts; secure file transfer.

RFP & Repricing Addendum

  • Data Types: RFP requirements; de‑identified utilization baselines; vendor proposals; repricing outputs.
  • Purpose: Transparent vendor selection; unbiased repricing; scenario comparisons.
  • Neutrality: Ethica remains vendor‑agnostic; no hidden alliances; conflicts disclosed.
  • Safeguards: De‑identification by default; use of limited data sets when required by modeling; confidentiality controls.
  • Implementation Support Addendum
  • Data Types: Eligibility files; plan codes; test claims; error logs; issue trackers.
  • Purpose: Seamless PBM transitions; accurate plan coding; pre‑implementation audits.
  • Safeguards: Secure FT(P/S)/API transfer; data minimization in tickets/logs; purge schedules post‑cutover.

Your Choices

  • Marketing Communications: Opt out via the email footer or contact us.
  • Cookies/Tracking: Use browser settings or our cookie preferences center (where available).
  • Member‑Specific Requests related to PHI: Contact your plan sponsor/covered entity; we will support them per our BAA.

Changes to This Policy

We may update this Policy from time to time. Changes will be posted with an updated “Last Updated” date. Material changes will be communicated as required by legal, regulatory, or contractual obligations.

Contact Us

Email: info@ethicapharmacyadvisors.com

Postal Mail:

Ethica Pharmacy Advisors

Attn: Privacy Office

828 John Nolen Drive

Madison, WI 53713