Last Updated: January 3, 2025
The MSK Remote Monitoring Application (the “App”) is operated by Memorial Sloan Kettering Cancer Center (“MSK,” “we”, “our” or “us”). MSK is committed to the individual privacy of every user of the App.
By providing your Personal Data to MSK or otherwise using the App, you understand that we may collect, use, and disclose your information as described in this MSK Remote Monitoring Application Privacy Notice (this “Privacy Notice”). This Privacy Notice is not a contract and does not create any contractual rights or obligations.
Information collected from Patients (defined below) through the App is Protected Health Information (defined below) that may be used and disclosed as further described in our Notice of Privacy Practices (HIPAA). If there is a conflict or inconsistency about our use or disclosure of Protected Health Information between this Privacy Notice and the Notice of Privacy Practices (HIPAA), we will follow the Notice of Privacy Practices (HIPAA).
Please use these links to jump to any portion of this Privacy Notice that interests you or scroll down to read along.
What this Notice Covers
This Privacy Notice describes how we collect, use, and disclose the Personal Data (defined below) that we collect or receive through the App.
The App is made available to registered patients of MSK and Memorial Medical Care, P.C. enrolled in a remote monitoring program as part of their care (“Patients”). The App is also offered as a service to any individual to whom a Patient has granted access to his or her medical record in MSK MyChart, which access rights will extend to the App as well (a “Proxy account”). Any information collected through the App from Patients or Proxy account users will be used and disclosed in accordance with this Privacy Notice. All users of the App are collectively referred to in this Privacy Notice as “users”.
The Information We Collect and Use
Patient medical records include patient health information known as Protected Health Information (“PHI”), which is regulated under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). PHI includes certain information that is (a) created or received by a health care provider and relates to an individual’s past, present, or future physical or mental health or condition, health care provided to an individual, or the past, present, or future payment for health care provided to an individual; and (b) that identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual. Please review our Notice of Privacy Practices (HIPAA) for information on how we may use and disclose your PHI.
When we use the term “Personal Data” we mean information that we directly associate with a specific person, or that we can reasonably use to identify a specific person such as a name or email address. Any Personal Data we collect through the App that is also PHI will be handled as further described in our Notice of Privacy Practices (HIPAA). We collect and use Personal Data and PHI through your use of the App in the following ways:
1. Personal Data You Provide to Us
We collect Personal Data when you choose to share that information with us, including in the following ways.
All Users:
- Users may access the App through their MSK MyChart portal, or by logging into the App using their MSK MyChart username and password. When you access and set up your App account through MSK MyChart, we collect your name and your MSK MyChart username.
- We may collect information and use it to manage how we communicate with you. For example, we may use your email address to alert you that you have a message waiting in the App.
- When you send a message to health care providers or other MSK staff through the App, we collect the content of the message and the metadata associated with the message. We use this information to respond to your messages and to manage your care.
Patient Users:
- Remote monitoring devices issued to you or approved as part of your care, such as a carbon dioxide or blood pressure monitor, or a fitness tracker, will appear in your App account (“Monitoring Devices”). You may also connect mobile health applications selected by your care team, such as iHealth MyVitals or Omron Connect (“Mobile App Integrations”). Once connected, we will collect data from these Monitoring Devices and Mobile App Integrations which will be used to give us more information about your health. In addition, certain App users may be asked for permission to collect location data and to connect to nearby devices. MSK will use such permissions for the sole purpose of connecting to Monitoring Devices and enable Mobile App Integrations, and all such location and connection data will remain on your mobile device and not be sent to or collected by MSK.
- We may collect your street address and contact information to confirm the information given to your care team is correct and to manage the delivery of one or more Monitoring Devices to you.
2. Information We Collect Automatically
We use certain technologies in the App to automatically collect information during your use of the App (“Other Information”). If we associate Other Information with Personal Data, we will treat the combined information as Personal Data in accordance with this Privacy Notice.
The technologies we use to collect Personal Data and other information include the following:
- Web Log File Data. Like most other mobile applications, we collect some basic information automatically about you and store it in log files. This information may include IP address, internet service provider, pages you visit from and pages you go to after leaving the App, pages you visit on the App (e.g., to access articles, and other materials from MSK; and to communicate with MSK), date and time stamp, and clickstream data. We use this information for the management and administration of the App, to improve the content, overall performance and user experience on the App, for fraud protection and for protecting our rights.
- Data from Cookies and Other Data Collection Technologies. We and our service providers use cookies, web beacons and similar technologies to manage the App and to collect information about you when you use the App. These technologies help us to recognize you, analyze your use of the App and identify solutions for how to make the App more useful. These technologies also allow us to enhance the usability of the App by aggregating demographic and statistical data and providing this information to our service providers.
- Information for Analytics. We use analytics providers to help us track certain information about your activity in the App, and to evaluate and measure the use and performance of the App. We may combine this information with other information we have about you to help us improve the App and our service to you.
Please see more information on analytics and data collection technologies and the choices you can make in the “Your Online Choices” section of this Privacy Notice.
3. Additional Uses of Personal Data
In addition to the uses described above, we may, consistent with our other legal obligations, use your Personal Data for the following purposes:
- Maintaining, delivering and improving the App and our services;
- Contacting you to respond to your requests or inquiries and provide support;
- Send you technical notices, updates, security alerts and support and administrative messages;
- Developing new resources and services;
- Conducting, managing and growing our business operations;
- Analyzing Patient experience as well as provider and hospital performance;
- Preventing, investigating and providing notice of fraud, unlawful or criminal activity or unauthorized access to or use of Personal Data, the App or our data systems, or to meet legal obligations;
- Investigating and resolving disputes and security issues and enforcing our App Terms and Conditions[RA3] ; and
- Carry out any other purpose for which the information was collected.
We also may use aggregated or de-identified information, which cannot reasonably be used to identify you. Once de-identified and aggregated so that data does not personally identify you (for example, we may aggregate data to improve our automation and improve care), it is no longer Personal Data. Such de-identified or aggregated information which does not identify individuals is not subject to this Privacy Notice.
How We Disclose Personal Data
We may disclose Personal Data collected through the App as described in the sections above, for the reason(s) provided to you at the time we collect it, with your authorization or consent, as permitted by law, and in the following ways:
-
Patients and Proxy Users. Proxy users can view information about the Patient’s Monitoring Devices and Mobile App Integrations and the data collected by those Monitoring Devices and Mobile App Integrations.
-
Third-Party Service Providers. We may disclose Personal Data to vendors who perform services on our behalf, including, but not limited to helping us manage the App, your medical records, and your health care, facilitate single sign-on into the App, manage our communication channels and conduct analytics, and providers involved in hosting and monitoring the App.
-
Affiliates. We may disclose Personal Data between and among MSK and our current and future parents, affiliates, subsidiaries and other companies under common control and ownership.
-
Legal Process, Safety and Terms Enforcement. We may disclose your Personal Data to legal or government regulatory authorities in response to a search warrant, subpoena, court order or other request for such information or to assist in investigations. We may also disclose your Personal Data to third parties in connection with claims, disputes or litigation, when otherwise required by law, if we determine such disclosure is necessary to protect the health and safety of us or our users or to enforce our legal rights or contractual commitments that users have made.
- Business Transfers. We may disclose Personal Data as a part of a corporate business transaction, such as a merger, acquisition, reorganization, divestiture, dissolution, joint venture or financing, bankruptcy or sale of all or a portion of our assets.
Security
We seek to use reasonable physical, technical, and administrative measures designed to protect Personal Data within our organization. Unfortunately, no data transmission or storage system can be guaranteed to be 100% secure. If you have reason to believe that your interaction with us is no longer secure (for example, if you feel that the security of your account has been compromised), please immediately notify us as described in the “Contact Us” section below.
Links to Other Websites or Mobile Applications
The App may contain links to websites or mobile applications owned and operated by third parties. Other websites may also reference or link to our App. These other web sites are not controlled by MSK. A link to a third party’s website or mobile application does not imply an endorsement of that website’s or mobile application’s content or services. This Privacy Notice does not apply to, and we are not responsible for, the privacy practices of third-party websites or mobile applications that are not owned by us. We encourage you to read privacy statements of any third-party websites or mobile applications to learn about their information practices. Visiting these other websites and mobile applications is at your own risk.
Notices to Individuals Located Outside of the United States
1. Notice to Individuals Located in the United Kingdom, European Economic Area, and Switzerland
This Privacy Notice describes ways in which you may provide information to MSK using the App. Personal Data about individuals located in the European Economic Area, United Kingdom, or Switzerland (generally referred to here as the “EU”) are subject to special protections under EU law when the processing of those data are within the scope of the European Union’s General Data Protection Regulation (EU Regulation 2016/679), its incorporation into the laws of England and Wales, Scotland, and Northern Ireland by virtue of the UK European Union (Withdrawal) Act 2018 and/or the Swiss Federal Act on Data Protection, as applicable (together, the “GDPR”). This Notice to Individuals Located in the United Kingdom, European Economic Area, and Switzerland (the “GDPR App Notice”) applies to MSK’s processing of Personal Data that is within the scope of the GDPR, which we call collectively the “GDPR Processing Activities.” This GDPR App Notice applies only to GDPR Processing Activities involving Personal Data collected through the App. When you use the App to transfer your Personal Data to MSK in the United States for GDPR Processing Activities, MSK is a controller of this Personal Data.
We rely on separate and overlapping bases to process your Personal Data lawfully. MSK will use the Personal Data provided through or collected on the App only for the purposes described in this Privacy Notice. MSK’s legal bases for processing your Personal Data include providing you with the information or services that you have requested, protecting your vital interests, furthering our legitimate interests, and your consent, if applicable. When we process special categories of Personal Data, including data concerning your health, our legal bases for processing such data include protecting your vital interests, furnishing a medical diagnosis, performing preventive or occupational medicine or assessment of the working capacity of our workforce, carrying out our obligations under employment or social protection laws, and your consent, if applicable. Legitimate interests that we rely on in processing your Personal Data include (i) improving and customizing the App for you, (ii) understanding how the App is being used, (iii) exploring ways to develop and grow our operations, (iv) ensuring the safety and security of the App, and (v) enhancing protection against fraud, spam, harassment, intellectual property infringement, crime and security risks. Without the ability to collect and process your Personal Data, MSK would not be able to achieve those interests. We may also use your Personal Data for purposes, including scientific research if applicable, that are compatible with the purposes for which such data were initially collected.
If our processing is based solely on consent, you have the right to withdraw your consent.
You may withdraw your consent by contacting us as set forth in the “Contact Us” section below. Please note that, in certain cases, we may continue to process your Personal Data after you have withdrawn consent, if we have a legal basis to do so. For example, we may retain certain information if we need to do so to comply with an independent legal obligation, or if it is necessary to do so to pursue our legitimate interest in keeping the App safe and secure, or if deleting the information would undermine the integrity of a research study in which you are enrolled.
MSK is located in the United States. When you enter your Personal Data through the App, the data is being transferred to, stored, and processed in the United States, and could be transferred to, stored and processed in another country outside of the EU. Please be aware that the appropriate EU government authorities have not found the United States, and possibly other countries to which your Personal Data may be transferred, to provide adequate safeguards for the protection of Personal Data. However, MSK will take steps to maintain the privacy of your Personal Data as described in this Privacy Notice. If MSK transfers your Personal Data outside the EU, we will do so in reliance on mechanisms recognized under the GDPR. This includes (i) transferring your Personal Data to countries or by using legal mechanisms that appropriate EU government authorities have determined to provide adequate data protection, (ii) obtaining your consent to transfer your Personal Data outside the EU after first informing you about the possible risks of such a transfer, (iii) transferring your information outside the EU if the transfer is necessary to the performance of a contract between you and MSK, including to provide treatment to you, or if the transfer is necessary to the performance of a contract between your physician or other health care provider located in the EU, and the contract was entered into in your interest, (iv) transferring your information outside the EU if necessary to establish, exercise or defend legal claims, or (v) transferring your Personal Data outside the EU to protect your vital interests.
We will retain your Personal Data for as long as is necessary for the purposes set out in this Privacy Notice (for example, if you have an account, for as long as your account is active), subject to your right, under certain circumstances, to have certain of your Personal Data erased, as discussed in the next paragraph, unless a longer period is required under applicable law or is needed to resolve disputes or protect our legal rights.
If your Personal Data is processed for GDPR Processing Activities, you have the right to (1) see Personal Data that MSK holds about you and receive any details required to be provided to you under applicable law, (2) correct or update your Personal Data, if inaccurate, (3) limit collection and use of your Personal Data under certain circumstances (for example, if you think it is inaccurate), (4) receive your Personal Data in an electronic format as required by law, except Personal Data that has been used for public interest purposes or for MSK’s legal obligations, (5) request deletion of your Personal Data, subject to MSK’s need to keep such data to comply with legal requirements, for purposes of public health or to preserve the integrity of a research study, or to allow MSK to defend itself from legal claims, and (6) file a complaint with a data protection authority (see this link). If you have questions about the processing of your Personal Data or rights associated with your Personal Data, see the section “Contact Us” below.
2. Notice to Individuals Located in the People’s Republic of China
Individuals located in the People’s Republic of China are afforded certain protections where the handling of their Personal Data is within the scope of the Personal Information Protection Law of the People’s Republic of China (the “PIPL”).
This notice applies to MSK’s processing of Personal Data that is within the scope of the PIPL and describes how the information that you transmit to MSK via the App will be used by MSK. If you travel to the United States to receive treatment, this notice will not apply to the health care information collected or generated about you at MSK. Instead, you will receive a separate notice that describes how such information will be treated by MSK under U.S. federal and state law.
In this notice, Personal Data shall have the same meaning as “Personal Information” under the PIPL. Personal Data includes information that relates to you, including but not limited to your name and address. Personal Data also includes “Sensitive Personal Data”, which is Personal Data that is specially protected under the PIPL. Sensitive Personal Data includes but is not limited to information about your past and present medical health, biometric characteristics, religious beliefs, specially-designated status, and your financial accounts, as well as the Personal Data of minors under the age of 14.
MSK is a Handler of your Personal Data for the purposes of the PIPL.
Description of Personal Data Handling
MSK will handle your Personal Data for the following purposes:
- To diagnose your condition and/or monitor your health.
- To provide treatment to you and/or a medical opinion to you and/or your health care provider in your country.
- To follow-up with you and/or your health care provider in your country before, during, or after your treatment or medical opinion is provided.
- To comply with MSK’s statutory duties, responsibilities, and obligations, including responding to requests of regulatory agencies.
- To establish and defend against legal claims.
- To support MSK’s business and institutional interests (for example, conducting quality assurance and improvement activities and managing MSK’s business operations).
- To respond to your questions and/or your requests to exercise your rights over your Personal Data as provided by the PIPL.
- If you have a Proxy user, to allow you to register a Proxy account and monitor parts of the medical record of the Patient who granted you Proxy access to their App account.
In order to achieve the purpose for which MSK will handle your Personal Data, MSK will handle the following categories of Personal Data and Sensitive Personal Data:
- Basic personal information, such as your name, date of birth, gender, family relation, address, personal phone number, or email.
- Personal identity information, such as your ID number, passport, or resident certificate.
- Physiological and health information, including records generated in connection with your medical treatment, such as pathological information, hospitalization records, physician’s instructions, test reports, surgical and anesthesia records, nursing records, medication administration records, drug and food allergy, fertility information, medical history, diagnosis and treatment, family illness history, history of present illness, and history of infection, and personal health information such as weight and height.
- Other information, such as emergency contacts.
MSK will retain your Personal Data for the period necessary to fulfill the purposes outlined in this notice, unless a different retention period is required or permitted by law.
In order to achieve the above purposes, MSK will use various handling methods, including by collecting your Personal Data from you, your health care providers, and others involved in your medical treatment through email, secure web forms, physical mail, and/or digital portals designed to facilitate healthcare services. Once MSK receives your Personal Data, MSK will store your Personal Data in a data center owned by MSK, as well as in platforms owned by MSK or provided by entrusted persons designed to store and/or handle health data, such as an electronic medical record system and radiology imaging platform.
The following types of persons and entities at, or affiliated with, MSK, will handle your Personal Data to achieve the purposes outlined in this notice:
-
Employees or contractors of MSK, such as physicians, pharmacists, nurses, administrative staff and other members of the MSK workforce, who are involved in your treatment or rendering a medical opinion to you, or who act in furtherance of MSK’s business and institutional interests.
- Contractors, vendors, collaborating entities and other entrusted persons that provide services to MSK in support of MSK’s medical services to you or in furtherance of MSK’s business and institutional interests.
Sensitive Personal Data
In order to fulfil the purposes of the Personal Data handling described in this notice, it will be necessary for MSK to handle the categories of your Sensitive Personal Data described in the section above. Without handling your Sensitive Personal Data, MSK would not be able to provide you with medical services or operate its business, as your Sensitive Personal Data is required for MSK to perform necessary actions such as diagnosing your medical condition, providing treatment or medical opinions to you, seeking payment for services, or allowing you to exercise your rights provided by the PIPL.
The handling of your Sensitive Personal Data by MSK may influence your rights and interests in various ways, some of which may not be knowable by you or MSK at the time your Personal Data is handled by MSK. However, your rights and interests may be influenced as follows:
- You may receive medical services intended to benefit your health and well-being, including a diagnosis, medical opinion, or treatment provided to your or your healthcare provider in your country.
- As Sensitive Personal Data is Personal Data that, according to the PIPL, is considered information that may cause harm to your dignity or grave harm to your personal or property security if leaked or illegally used, there is inherently a heightened risk to individuals whenever their Sensitive Personal Data is handled. However, MSK has various measures in place intended to mitigate or eliminate risks to your Sensitive Personal Data, including but not limited to: information security and access management programs and a staff data privacy training program.
Your Rights Provided in the Law
You have certain rights with respect to your Personal Data as provided in the PIPL, including as follows:
- You have the right to consult or copy Personal Data that MSK holds about you.
- You have the right request that your Personal Data be transferred to another Personal Data Handler. If you make this request, MSK will transfer your Personal Data or provide a channel through which you may transfer your Personal Data.
- You have the right to correct or update your Personal Data if it is inaccurate.
- You have the right to limit or refuse the collection and use of your Personal Data unless laws or administrative regulations stipulate otherwise.
- If information handling is based on your consent, you have the right to rescind consent.
- You have the right to request the deletion of your Personal Data. However, there are limits on your ability to request deletion of your Personal Data. For example, MSK may keep and use some or all of your Personal Data if necessary to comply with legal requirements (for example, legal and regulatory obligations related to the maintenance of medical records at MSK), or where the deletion of your Personal Data is technically hard to realize, in which case MSK shall cease handling your Personal Data except for storage and shall take necessary security protective measures.
If you have questions about the processing of your Personal Data or rights associated with your Personal Data, see the section “Contact Us” below.
Your Choices
Account Information
You may request that we update, correct, or delete information about you in the App, or close your account at any time by contacting us as described in the “Contact Us” section below. Please note that even if you close your account, we may retain certain information as required by law or for legitimate business purposes. We may also retain cached or archived copies of information about you for a certain period of time.
Requests to update, correct, or delete information about you in the App will only apply to your App account, and will not result in changes to your health information in your medical record. If you would like to ask us to correct or amend health information about you in your medical record, please contact our Health Information Management department at 646-227-2089. Please review our Notice of Privacy Practices (HIPAA) for information related to your health information.
Native Applications, Push Notifications, and other Interactive Features
Some features of the App may require access to certain native applications on your mobile device, such as the camera, microphone, Bluetooth, photo/media/files storage applications (e.g., to take and upload photos and videos). If you decide to use these features, we will ask you for your consent prior to accessing the applications and collecting information. Note that you can revoke your consent at any time by changing the settings on your device.
The App may require access to your location to perform certain functions, such as scanning for available Monitoring Devices or enabling Mobile App Integrations. The first time you try to use any features that use your location, we will ask for your consent within the App and will only access your location if you give consent. You do not have to provide consent if you do not want to allow the App to use your location. We do not store your location data.
With your consent, we may send push notifications or alerts to your mobile device. You can deactivate these messages at any time by changing the notification settings on your mobile device or within the App.
Cookies and Analytics Tools
Most browsers and mobile devices allow you to turn off certain cookies if you do not want your preferences tracked. However, the App may not function with cookies turned “off.”
Changes to this Privacy Notice
We reserve the right to amend this Privacy Notice at any time. If we make changes, we will notify you by revising the “Last Updated” date at the top of this Privacy Notice and, in some cases, we may provide you with additional notice (such as by sending you a notification). Therefore, please check this Privacy Notice periodically for updates and to stay informed about our information practices.
Contact Us
If you need technical assistance with the App or have any other questions about using the App, please contact your care team via the App messaging function or directly by phone or email.
To ask questions about the Privacy Notice or other privacy-related matters, you may contact our Privacy Office in the following ways:
MAILING ADDRESS:
Privacy Office
Memorial Sloan Kettering Cancer Center
633 Third Avenue
New York, NY 10017
TELEPHONE:
646-227-2056
EMAIL:
[email protected]
If you are in the European Union, you may address GDPR-related inquiries to our EU representative at:
EU-REP.Global GmbH
Attn: MSKCC
Hopfenstr. 1d, 24114 Kiel, Germany
[email protected]
If you are in the United Kingdom, you may address UK GDPR privacy-related inquiries to our UK representative at:
DP Data Protection Services UK Ltd.
Attn: MSKCC
16 Great Queen Street, Covent Garden, London, WC2B 5AH, United Kingdom
[email protected]