MyMSK Portal Privacy Policy

MyMSK Portal Privacy Policy

Share
Share

Last Updated: May 22, 2024

The MyMSK Portal is owned and operated by Memorial Sloan Kettering Cancer Center (“MSK,” “we”, “our” or “us”).  MSK is committed to the individual privacy of every visitor to our Portal.  

BY PROVIDING YOUR PERSONAL DATA TO MSK OR OTHERWISE USING THE MYMSK PORTAL, YOU UNDERSTAND THAT WE MAY COLLECT, USE, AND DISCLOSE YOUR INFORMATION AS DESCRIBED IN THIS PRIVACY POLICY. THIS PRIVACY POLICY IS NOT A CONTRACT AND DOES NOT CREATE ANY CONTRACTUAL RIGHTS OR OBLIGATIONS.

Any information that is Protected Health Information (defined below) may be used and disclosed as further described in our Notice of Privacy Practices (HIPAA) If there is a conflict or inconsistency about our use or disclosure of Protected Health Information between this MyMSK Portal Privacy Policy (“MyMSK Portal Privacy Policy”) and the Notice of Privacy Practices (HIPAA), we will follow the Notice of Privacy Practices (HIPAA).

Please use these links to jump to any portion of this MyMSK Portal Privacy Policy that interests you or scroll down to read along.

What this Policy Covers

This MyMSK Portal Privacy Policy describes how we collect, use, and disclose the Personal Data (defined below) that we collect through the Portal. When we say “Portal” we mean collectively:

  • The webpage that launches the MyMSK Portal;
  • Any webpages or interfaces in the Portal that link to this MyMSK Portal Privacy Policy; and
  • Any mobile applications that link to this MyMSK Portal Privacy Policy (“App”).

The Portal is made available to MSK Patients or Proxy account users (defined below) they designate and is offered as a service to Patients of Memorial Medical Care, P.C. (“MMC”) and any Proxy account users they designate.  Any information collected through the Portal from MSK or MMC Patient or Proxy Account users will be used and disclosed in accordance with this MyMSK Portal Privacy Policy.

The Information We Collect and Use

Patient medical records include patient health information known as Protected Health Information (“PHI”), which is regulated under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). PHI includes certain information that is (a) created or received by a health care provider and relates to an individual’s past, present, or future physical or mental health or condition, health care provided to an individual, or the past, present, or future payment for health care provided to an individual; and (b) that identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual.  Please review our Notice of Privacy Practices (HIPAA) for information on how we may use and disclose your PHI.

When we use the term “Personal Data” we mean information, other than PHI, that we directly associate with a specific person, or that we can reasonably use to identify a specific person such as a name or email address.  As noted above, if any Personal Data we collect through the Portal is also PHI, we will handle it as further described in our Notice of Privacy Practices (HIPAA). We collect and use information through your use of the Portal in the following ways.

1. Personal Data You Provide To Us

We collect Personal Data when you choose to share that information with us, including in the following ways.

All Portal Users:

  • When you set up a Portal account, you will be asked to submit Personal Data such as your name, email address, phone number, and date of birth.  We use this information to set up and administer your Portal account.
  • When you communicate with health care providers or other MSK staff through the Portal, we collect the content of the communications and the metadata associated with those communications. We use this information to respond to your inquiries and facilitate communication.
  • We may collect information and use it to manage how we communicate with you. For example, we may use your email addresses to alert you that you have a message waiting on the Portal.
  • When you sign-up for events or content, we may collect your contact information, demographic information and communication preferences, which we use to manage how we communicate with you.

Patients and Proxy Users:

  • Registered MSK or MMC patients (“Patient”) may choose to give other people access to their Portal account (“Proxy account”). If you are an MSK or MMC Patient or are registering for a Proxy account, when you set up a Portal account, you may also be asked to provide other Personal Data such as your mailing address, enrollment ID number, the Patient’s name, medical record number, and, if applicable, information related to a minor Patient’s parent or guardian, including the parent or guardian’s name, mailing address, email address and phone number.
  • When you book appointments through the Portal, we collect information about your contact information, your health care professional and your appointment confirmation, which we use to facilitate scheduling the appointment and to send you appointment reminders.
  • When you order prescription refills through the Portal we collect information about your medication, contact information and preferred pharmacy, which we use to facilitate your prescription renewal request.
  • When you pay your medical bills through the Portal we will collect your payment information, insurance information, billing information and contact information, which we use to fulfill your payment, complete your transaction and deliver an invoice to you.
  • You may choose to connect your Portal account with one or more mobile health applications such as Apple HealthKit™, a fitness tracker, or other wearable device such as a CO or heart rate monitor (“Mobile App Integrations”).  With your permission, we will collect information from these Mobile App Integrations. Data collected from your Mobile App Integrations will be used to give us more information about your health.  In addition, certain App users may be asked for permission to collect location data and to connect to nearby devices. MSK will use such permissions for the sole purpose of enabling Mobile App Integrations, and all such location and connection data will remain on your mobile device and not be sent to or collected by MSK.

2. Information We Collect Automatically

We use certain technologies on the Portal to automatically collect information during your use of the Portal (“Other Information”).  If we associate Other Information with Personal Data, we will treat the combined information as Personal Data in accordance with this MyMSK Portal Privacy Policy.

The technologies we use to collect Personal Data and other information include the following:

  • Web Log File Data.  Like most other websites or mobile applications, we collect some basic information automatically about you and store it in log files.  This information may include IP address, browser type, internet service provider, pages you visit from and pages you go to after leaving the Portal, pages you visit on the Portal (e.g., to access articles, videos, forms, and posts from MSK; to sign-up for events organized by MSK; and to communicate with MSK), date and time stamp, and clickstream data.  We use this information for Portal management and administration, to improve the content, overall performance and user experience on the Portal, for fraud protection and for protecting our rights.
  • Data from Cookies and Other Data Collection Technologies.  We and our service providers use cookies, web beacons and similar technologies to manage the Portal and to collect information about you when you use the Portal.  These technologies help us to recognize you, analyze your use of the Portal and identify solutions for how to make the Portal more useful.  These technologies also allow us to enhance the usability of the Portal by aggregating demographic and statistical data and providing this information to our service providers.
  • Information for Analytics.   We use analytics providers to help us track certain information about your activity in the Portal, and to evaluate and measure the use and performance of the Portal.  We may combine this information with other information we have about you to help us improve the Portal and our service to you. 

Please see more information on analytics and data collection technologies and the choices you can make in the “Your Online Choices” section of this MyMSK Portal Privacy Policy.

3. Additional Uses of Personal Data

In addition to the uses described above, we may, consistent with our other legal obligations, use your Personal Data for the following purposes:

  • Maintaining, delivering and improving the Portal and our services;
  • Contacting you to respond to your requests or inquiries and provide support;
  • Send you technical notices, updates, security alerts and support and administrative messages;
  • Contacting you about programs, products, or services that we believe may be of interest to you, new service announcements, or event invitations;
  • Developing new resources and services;
  • Conducting, managing and growing our business operations;
  • Analyzing Patient experience as well as provider and hospital performance;
  • Preventing, investigating and providing notice of fraud, unlawful or criminal activity or unauthorized access to or use of Personal Data, the Portal or our data systems, or to meet legal obligations;
  • Investigating and resolving disputes and security issues and enforcing our MyMSK Portal Terms and Conditions; and
  • Carry out any other purpose for which the information was collected.

We also may use aggregated or de-identified information, which cannot reasonably be used to identify you. Once de-identified and aggregated so that data does not personally identify you (for example, we may aggregate data in order to improve our automation and improve care), it is no longer personal information. Such de-identified or aggregated information which does not identify individuals is not subject to this MyMSK Portal Privacy Policy.

How We Disclose Personal Data

We may disclose Personal Data collected through the Portal for the reason(s) provided to you at the time we collect it, with your authorization or consent, as well as in the following ways:

  • Patients and Proxy Users. If a Patient chooses to give other people access to their Portal account as Proxy users, the Proxy users can view certain parts of the Patient medical record that are available through the Portal, such as the Patient’s treatment, test results, diagnostic and billing information, as well as other information available in the Patient’s Portal account.
  • Third-Party Service Providers. We may disclose Personal Data with vendors who perform services on our behalf, including, but not limited to helping us manage the Portal, manage our communication channels and conduct analytics, providers involved in hosting and monitoring the Portal, payment processors, and pharmacy providers.
  • Affiliates.  We may disclose Personal Data between and among MSK and our current and future parents, affiliates, subsidiaries and other companies under common control and ownership.
  • Legal Process, Safety and Terms Enforcement.  We may disclose your Personal Data to legal or government regulatory authorities in response to a search warrant, subpoena, court order or other request for such information or to assist in investigations.  We may also disclose your Personal Data to third parties in connection with claims, disputes or litigation, when otherwise required by law, if we determine such disclosure is necessary to protect the health and safety of us or our users or to enforce our legal rights or contractual commitments that users have made.
  • Business Transfers. We may disclose Personal Data as a part of a corporate business transaction, such as a merger, acquisition, reorganization, divestiture, dissolution, joint venture or financing, bankruptcy or sale of all or a portion of our assets.

Security

We seek to use reasonable physical, technical, and administrative measures designed to protect Personal Data within our organization. Unfortunately, no data transmission or storage system can be guaranteed to be 100% secure. If you have reason to believe that your interaction with us is no longer secure (for example, if you feel that the security of your account has been compromised), please immediately notify us as described in the “Contact Us” section below.   

Links to Other Websites or Mobile Applications

The Portal may contain links to websites or mobile applications owned and operated by third parties.  Other websites may also reference or link to our Portal. These other web sites are not controlled by MSK. A link to a third party’s website or mobile application does not imply an endorsement of that website’s or mobile application’s content or services.  This MyMSK Portal Privacy Policy does not apply to, and we are not responsible for, the privacy practices of third-party websites or mobile applications that are not owned by us.  We encourage you to read privacy statements of any third-party websites or mobile applications to learn about their information practices. Visiting these other websites and mobile applications is at your own risk.

How we Respond to “Do Not Track” Signals

Some web browsers have “Do Not Track” or similar features that allow you to tell each website you visit that you do not want your activities on that website tracked. At present, the Portal does not respond to “Do Not Track” signals and consequently, the Portal will continue to collect information about you even if your browser’s “Do Not Track” feature is activated.

Notice to Individuals Located in the United Kingdom, European Economic Area, and Switzerland

This MyMSK Portal Privacy Policy describes ways in which you may provide information to MSK using the Portal.  Personal Data about individuals located in the European Economic Area, United Kingdom, or Switzerland (generally referred to here as the “EU”) are subject to special protections under EU law when the processing of those data are within the scope of the European Union’s General Data Protection Regulation (EU Regulation 2016/679) (“EU GDPR”), its incorporation into the laws of England and Wales, Scotland, and Northern Ireland by virtue of the UK European Union (Withdrawal) Act 2018 and/or the Swiss Federal Act on Data Protection, as applicable (together, the “GDPR”).  This  Notice to Individuals Located in the United Kingdom, European Economic Area, and Switzerland  (the “GDPR Portal Notice”) applies to MSK’s processing of Personal Data that is within the scope of the GDPR, which we call collectively the “GDPR Processing Activities.”  This GDPR Portal Notice applies only to GDPR Processing Activities involving Personal Data collected through the Portal.  When you use the Portal to transfer your Personal Data to MSK in the United States for GDPR Processing Activities, MSK is a controller of this Personal Data.

Please be aware that if you use the Portal to transfer your Personal Data to MSK in order to seek care at an MSK facility or a second opinion at MSK, you will be provided a copy of our GDPR Patient Notice and our Notice of Privacy Practices (HIPAA), which will govern our use of protected health information.  The GDPR Portal Notice will not apply to MSK’s use of such information.

We rely on separate and overlapping bases to process your Personal Data lawfully.  MSK will use the Personal Data provided through or collected on the Portal only for the purposes described in this MyMSK Portal Privacy Policy.   MSK’s legal bases for processing your Personal Data include providing you with the information or services that you have requested, protecting your vital interests, furthering our legitimate interests, and your consent, if applicable.  When we process special categories of Personal Data, including data concerning your health, our legal bases for processing such data include protecting your vital interests, furnishing a medical diagnosis, performing preventive or occupational medicine or assessment of the working capacity of our workforce, carrying out our obligations under employment or social protection laws, and your consent, if applicable.  Legitimate interests that we rely on in processing your Personal Data include (i) improving and customizing the Portal for you, (ii) understanding how the Portal is being used, (iii) exploring ways to develop and grow our operations, (iv) ensuring the safety and security of the Portal, and (v) enhancing protection against fraud, spam, harassment, intellectual property infringement, crime and security risks.  Without the ability to collect and process your Personal Data, MSK would not be able to achieve those interests.  We may also use your Personal Data for purposes, including scientific research if applicable, that are compatible with the purposes for which such data were initially collected.

If our processing is based solely on consent, you have the right to withdraw your consent.

You may withdraw your consent by contacting us as set forth in the “Contact Us” section below.  Please note that, in certain cases, we may continue to process your Personal Data after you have withdrawn consent, if we have a legal basis to do so.  For example, we may retain certain information if we need to do so to comply with an independent legal obligation, or if it is necessary to do so to pursue our legitimate interest in keeping the Portal safe and secure, or if deleting the information would undermine the integrity of a research study in which you are enrolled.

MSK is located in the United States.  When you enter your Personal Data through the Portal, the data is being transferred to, stored, and processed in the United States, and could be transferred to, stored and processed in another country outside of the EU.  Please be aware that the appropriate EU government authorities have not found the United States, and possibly other countries to which your Personal Data may be transferred, to provide adequate safeguards for the protection of Personal Data.  However, MSK will take steps to maintain the privacy of your Personal Data as described in this MyMSK Portal Privacy Policy.  If MSK transfers your Personal Data outside the EU, we will do so in reliance on mechanisms recognized under the GDPR.  This includes (i) transferring your Personal Information to countries that appropriate EU government authorities have determined to provide adequate data protection, (ii) obtaining your consent to transfer your Personal Data outside the EU after first informing you about the possible risks of such a transfer, (iii) transferring your information outside the EU if the transfer is necessary to the performance of a contract between you and MSK, including to provide treatment to you, or if the transfer is necessary to the performance of a contract between your physician or other health care provider located in the EU, and the contract was entered into in your interest, (iv) transferring your information outside the EU if necessary to establish, exercise or defend legal claims, or (v) transferring your Personal Data outside the EU to protect your vital interests.

We will retain your Personal Data for as long as is necessary for the purposes set out in this MyMSK Portal Privacy Policy (for example, if you have an account, for as long as your account is active), subject to your right, under certain circumstances, to have certain of your Personal Data erased, as discussed in the next paragraph, unless a longer period is required under applicable law or is needed to resolve disputes or protect our legal rights.

If your Personal Data is processed for GDPR Processing Activities, you have the right to (1) see Personal Data that MSK holds about you and receive any details required to be provided to you under applicable law, (2) correct or update your Personal Data, if inaccurate, (3) limit collection and use of your Personal Data under certain circumstances (for example, if you think it is inaccurate), (4) receive your Personal Data in an electronic format as required by law, except Personal Data that has been used for public interest purposes or for MSK’s required legal obligations, (5) request deletion of your Personal Data, subject to MSK’s need to keep such data to comply with legal requirements, for purposes of public health or to preserve the integrity of a research study, or to allow MSK to defend itself from legal claims, and (6) file a complaint with a data protection authority (see this link). If you have questions about the processing of your Personal Data or rights associated with your Personal Data, see the section “Contact Us” below.

Changes to this MyMSK Portal Privacy Policy

We reserve the right to amend this MyMSK Portal Privacy Policy at any time. If we make changes, we will notify you by revising the “Last Updated” date at the top of this MyMSK Portal Privacy Policy and, in some cases, we may provide you with additional notice (such as adding a statement to our homepage or sending you a notification). Therefore, please check this MyMSK Portal Privacy Policy periodically for updates and to stay informed about our information practices.

Your Choices

Account Information

You may request that we update, correct or delete information about you in the Portal, or close your account at any time by contacting us as described in the “Contact Us” section below.  Please note that even if you close your account, we may retain certain information as required by law or for legitimate business purposes. We may also retain cached or archived copies of information about you for a certain period of time.

Native Applications and Push Notifications on Mobile Device

Some features of our App may require access to certain native applications on your mobile device, such as the camera and photo storage applications (e.g., to take and upload photos and videos). If you decide to use these features, we will ask you for your consent prior to accessing the applications and collecting information. Note that you can revoke your consent at any time by changing the settings on your device.

With your consent, we may send push notifications or alerts to your mobile device. You can deactivate these messages at any time by changing the notification settings on your mobile device or within our App.

Cookies and Analytics Tools

Most browsers allow you to turn off certain cookies if you do not want your preferences tracked.  However, your cookie feature on your browser must be turned “on” so you can use the Portal. The “help” menu on most internet browsers contains information on how to control cookies, or you can visit www.aboutcookies.org/how-to-control-cookies/.

Contact Us

If you need technical assistance with the Portal or have any other questions about using the Portal, you may contact the Portal Help Desk by using the Message Center found at https://my.mskcc.org or by calling 1(800) 248-0593 or 1(646) 227-2593.

To ask questions about the MyMSK Portal Privacy Policy or other privacy-related matters, you may contact our Privacy Office in the following ways:

MAILING ADDRESS:
Privacy Office
Memorial Sloan Kettering Cancer Center
633 Third Avenue
New York, NY 10017

TELEPHONE:
646-227-2056

EMAIL:
[email protected]

If you are in the European Union, you may address GDPR-related inquiries to our EU representative at:

EU-REP.Global GmbH
Attn: MSKCC
Hopfenstr. 1d, 24114 Kiel, Germany
[email protected]

If you are in the United Kingdom, you may address UK GDPR privacy-related inquiries to our UK representative at:

DP Data Protection Services UK Ltd.
Attn: MSKCC
16 Great Queen Street, Covent Garden, London, WC2B 5AH, United Kingdom
[email protected]