Last Updated: July 7, 2022
Collection of Personally Identifiable Information and Protected Health Information
We and our service providers collect several types of information from users through our Services, including:
Personal information that relates to you, identifies you, or can reasonably be expected to identify you, such as name, address, job title, email address, telephone number or payment information, such as your credit card number, expiration date, and credit card security code (we refer to this type of information as “Personally Identifiable Information” or “PII”).
Personal information that relates to you, identifies you, or can reasonably be expected to identify you, in relation to past, present, or future health care services provided to you (we refer to this as “Protected Health Information” or “PHI”).
Collection of Personally Identifiable Information from Third Parties
If you access the Services from an advertisement on a third-party website, application, or other service (a “Third-Party Service”) we may receive information from the owner of the Third-Party Service related to you or that advertisement.
We may also receive information about you from other sources, including through third-party services and organizations. We may combine our first-party data, such as your email address or name, with third-party data from other sources and use this to contact you (e.g. through direct mail). For example, if you access third-party services, such as Facebook, LinkedIn, Google, or Twitter, through the Services to login to the Services or to share information about your experience on the Services with others, we may collect information from these third-party services.
Third Party Payment Service
Personally Identifiable Information of Others
Collection of Other Information
We collect other information you provide to us that doesn’t reveal your specific identity (we refer to this as “Other Information”), which includes:
- Information we collect automatically such as your computer’s Internet protocol (“IP”) address, device identifiers, browser type, operating system, Internet service provider, and other standard server log information.
- Information collected through cookies.
- Demographic or other information provided by you that doesn’t reveal your identity.
- Aggregate information that doesn’t reveal your identity.
- Location information such as your mobile device’s GPS signal, or information about nearby WiFi access points and cell towers.
Your browser software can be set to reject all cookies, including cookies from our Services. Most browsers offer instructions on how to reset the browser to reject cookies in the help section of the toolbar, such as the Google Analytics Opt-out Browser Add-on. If you would like to learn more about these practices, visit the Network Advertising Initiative.
Information Provided through Your Browser or Device
We may also collect technical data to address and fix technical problems and improve our Services. Your device or browser settings may permit you to control the collection of this technical data. By using the Services, you are consenting to us or any party acting on our behalf collecting this technical data.
Information Provided through Your Use of Applications
When you download and use our applications, we and our service providers may track and collect application usage data.
We may collect the physical location of your device by using satellite, cell phone tower or WiFi signals. We may use your device’s physical location to provide you with personalized location based services and content. In some instances, you may be permitted to allow or deny such uses and/or sharing of your device’s location, but if you do, we may not be able to provide you with the applicable personalized services and content.
How We Use Your Information
We strive to maintain your privacy, confidentiality and security at all times. Saint Luke’s uses the information you provide to us, including any Personally Identifiable Information to:
- Present our Services and its contents to you
- Provide you with information and services that you request from us, including Foundation-related fundraising activities
- Personalize your experience and inform you about the services in which you have indicated an interest
- Contact you and to respond to your questions
- Carry out our obligations and enforce our rights arising from any contracts entered into between you and us, including for billing and collection
- Send you information about additional services or general wellness from us or on behalf of our affiliates
- Comply with applicable law
- For purposes of human resources recruiting and processing your employment application
- In other ways we may describe when you provide the information
- For any other purpose with your consent
In addition, we may use, disclose or transfer your information to a third party in the event of any reorganization, merger, sale or other disposition of all or any portion of our business or assets.
These are the limited ways we interact with your information, including any Personally Identifiable Information, in connection with our mobile applications:
When you choose to add a profile photo to our mobile apps, you may select an existing photo on your device or take a new photo using the camera app on your device. If you select an existing photo on your device, we store a copy of your chosen photo in app-private storage on your device. If you use the camera app on your device to take a new photo, the photo you take is first saved to your camera app and then also saved to app-private storage on your device. If you remove the photo from your profile or delete our mobile apps, the copy of the photo is deleted from the app-private storage, but the photo saved to your camera app remains available in your camera app until you choose to delete it. If you already have a photo stored in your profile through your healthcare organization – we do not interact with that photo in any way.
When you choose to view documents (such as letters or images) using our mobile apps, to make the files viewable for you we temporarily store copies on your device in app-private storage. The temporary copies are deleted when you close your session on our mobile apps.
When you choose to include a photo or video in a message you send to us using our mobile apps, you may select an existing photo or video from your device or take a new photo or video using the camera app on your device. If you use the camera app on your device to take a new photo or video, it will be saved to your camera app. Any photo or video saved to your camera app remains available in your camera app until you choose to delete it.
When you join a telehealth visit with your provider, we will ask for permission to access your device’s video and audio functionality to make the telehealth visit possible. We do not record or store video of audio data from these visits.
If you choose to enable the automatic appointment arrival functionality, we temporarily store identifiers and times for your upcoming appointments in app-private storage to detect when you arrive for an upcoming appointment. If you choose to stop using our mobile apps or you disable automatic appointment arrival, the identifiers are deleted.
You may choose to allow our mobile apps to interact with your location data for purposes of location-based check in for in-person appointments, or to find healthcare providers near you. We do not store your location data.
You may choose to allow our mobile apps to interact with your Bluetooth data for purposes of notifying front desk staff electronically when you arrive for an appointment, We do not store your Bluetooth data.
While you use our apps, we collect non-identifying information so we can provide customer service to you or your healthcare organization and understand how people use our mobile apps so we can improve our products. This information includes the time you began using the app, the healthcare organization you interacted with, any error messages or codes, the model of device used and its operating system, and the version of our mobile app used. If you use Android devices, we also collect your connection type (cellular or WiFi) during an error.
You may contact us through the methods listed under the “Contact Us” section below. If you contact us, we may keep a record of the communication. You can decide how much information you want to share with us in those cases.
For Android Users – Required Google Play Disclosures for Certain Health Apps:
Google has determined our mobile apps are subject to their COVID-19 apps requirements. As a result, we are required to provide the following information so we can make our mobile apps available to you in the Play store.
Our mobile apps interact with your microphone only if you choose to use your microphone to navigate our mobile apps. Our mobile apps interact with your camera roll only if you choose to add a profile image to a profile in our mobile apps. This information is not used in connection with COVID-19.
Our mobile apps access, collect, use, and share your information (including video, audio, images, files) as stated above in the section titled, “How We Use Your Information.” We also prominently highlight these uses, describe the type of data being accessed, and obtain your consent for these purposes as you use our mobile apps.
Our mobile apps were not created specifically for the COVID-19 pandemic. They existed before the COVID-19 pandemic to allow you to access certain information on file with us. You may access COVID-19-related vaccination information, laboratory test results, and documents with illness-related information using our mobile apps. You may choose if or how you want to access, display, or use the information – just like you can make those decisions about health information relating to other conditions, services, tests, or vaccinations.
Use and Disclosures of Other Information
We may use and disclose Other Information for any purpose, except where we are required to do otherwise under applicable law.
Our Security Measures
We use encryption practices and security controls that meet or exceed industry standards that are designed to help protect the confidentiality and integrity of the Personally Identifiable Information and/or Protected Health Information you provide to us.
You should, however, be aware that there is always some risk involved in transmitting information via the Internet.
Your Role, Responsibilities and Risks
Where you use a Service that is secured with a username and password, you are responsible for taking steps to protect the privacy of such credentials. In order to protect your privacy, you should:
- Never share your username or password;
- Always sign out when you are finished using the Service;
- Use only secure web browsers;
- Employ common anti-virus and anti-malware tools on your system to keep it safe;
- Use a strong password with a combination of letters and numbers;
- Change your password often; and
- If you believe your login and/or password have been compromised change your password immediately and notify us in accordance with the “Contacting Us” section below.
If you share your username and password with another person, this will allow that person to see your confidential medical record information. We have no responsibility concerning any breach of your confidential medical record information due to your sharing or losing your user name or password.
Our Relationship with Third Parties
Additionally, we work with several types of third party vendors including those that provide products and services that we integrate into our Services and organizations that maintain the Services. These third-party vendors and service providers may not use your information for purposes other than those related to the services they are providing to us.
On occasion, Saint Luke’s may share the personal data you provide to us with other Saint Luke’s entities, affiliates and/or business partners who are acting on our behalf to help us provide you with our services. These relationships differ from our standard business partner relationship in which we license content or a product for integration. These situations include:
Sponsored or co-branded sites
We allow other companies to make services and/or content available to you, sometimes on a sponsored or co-branded basis. To access the services on a sponsored or co-branded website, you may have to complete an online registration form in addition to the registration you completed for us. Whenever you provide registration information on sponsored or co-branded websites, data can be collected. You should read the individual privacy policies of sponsored or co-branded sites and make an informed decision on whether or not you want to use the site.
Health Information Exchange
Health information exchanges make patient health information easily accessible between organizations. Saint Luke’s Health System participates in various electronic health information exchanges. Learn more at saintlukeskc.org/HIE.
The Services are not directed to individuals under the age of 18 and we do not knowingly collect Personally Identifiable Information from individuals under 18. If we learn that we have inadvertently collected information from an individual under the age of 18, that information will be promptly and permanently removed from our servers.
Your Privacy Choices
To opt-out of data collection, make any changes or updates, or request that information be deleted, you have several choices:
We may send you emails with information that we think you might find useful including promotions, announcements of new services and products, and newsletters on particular health topics. You may opt-out of marketing messages at any time by clicking the Unsubscribe link located in the footer of every email sent by Saint Luke’s Marketing Department or by calling Saint Luke’s Concierge at 816-932-5100. You may ask to have your medical record marked as “Do Not Solicit” during clinic or hospital registration. We will try to comply with your requests as soon as reasonably practicable. Please note we may still send you important administrative messages from which you cannot opt-out.
You may also participate in our personalized email reminder system through mySaintLuke’s that sends an email reminding you of certain health-related activities such as a doctor’s visit or to schedule tests. If you decide, at any time, that you no longer wish to receive these emails you may update your notification preferences within the mySaintLuke’s patient portal.
You may also receive email notifications from other Saint Luke’s programs, such as patient satisfaction surveying, patient education, online appointment scheduling, Foundation, etc. Each program has a unique opt-out process which is communicated by the program.
For more information on opting-out of a Health Information Exchange (HIE), please visit saintlukeskc.org/HIE.
For more information on opting-out of SMS text messaging, please visit our SMS Text Messaging Terms of Service, saintlukeskc.org/text-message-help.
Remove or delete Personally Identifiable Information
You may remove previously provided Personally Identifiable Information collected in conjunction with our Services at any time by contacting us in writing at 901 E. 104th St., Mailstop 800-NE, Kansas City, Missouri 64131 or email firstname.lastname@example.org.
Users should be aware that it is not always technically possible to remove or delete the information you provide to us. We back-up our systems to protect information from inadvertent loss, and that means a copy of your Personally Identifiable Information may exist in a non-erasable form that may be difficult or impossible for us to locate. Nevertheless, upon receiving your request we will try to remove or delete all Personally Identifiable Information stored in the databases that we use for research and daily business activities. We will not intentionally disclose any Personally Identifiable Information stored in a non-erasable format after receiving your request for removal, except as required by law.
Remove or delete Protected Health Information
Removal of your Protected Health Information is subject to our Notice of Privacy Practices. There are certain restrictions on your ability to correct, update, or remove the Protected Health Information you enter into a personal health record. If your doctor or other health care professional has access to your personal health record and they add information to that record, your personal health record could be considered an official medical record for legal purposes. In this case, information cannot be deleted or removed, only updated or annotated. If you believe information contained in your medical record is incorrect, you may request an amendment to the information. To request an amendment to your personal medical records, read through the instructions contained within the Request For Amendment form located on the Compliance and Privacy page on the website. You may return the completed form in person to any Saint Luke’s Medical Record Department, submit the form through email at email@example.com or via mail to the mailing address listed on the form.
We will retain your Personally Identifiable Information for as long as needed or permitted in light of the purpose(s) for which it was obtained. The criteria used to determine our retention periods include: (i) the length of time we have a relationship with you and provide the Services; (ii) whether there is a legal obligation to which we are subject; or (iii) whether retention is advisable in light of our legal position.