Effective Date: May 11, 2022
Northwestern Memorial HealthCare respects your right to privacy. As used here, “Northwestern Medicine”, “we”, “us” or “our” means Northwestern Memorial HealthCare and, where appropriate, its corporate affiliates, including but not limited to Northwestern Memorial Hospital, Northwestern Medicine Lake Forest Hospital, Northwestern Medical Faculty Foundation (d/b/a Northwestern Medical Group), Northwestern Memorial Foundation, Northwestern Medicine Central DuPage Hospital, Northwestern Medicine Delnor Hospital, Central DuPage Physician Group (d/b/a Northwestern Medicine Regional Medical Group), Northwestern Medicine Kishwaukee Hospital, Northwestern Medicine Valley West Hospital, Marianjoy Rehabilitation Hospital, Rehabilitation Medicine Clinic, Inc. (d/b/a Marianjoy Medical Group), Northwestern Medicine Huntley Hospital, Northwestern Medicine McHenry Hospital, Northwestern Medicine Woodstock Hospital, Centegra Physician Care, Palos Community Hospital, Palos Health Surgery Center, LLC, Palos Imaging LLC, Palos Medical Group LLC and South Campus Partners, Inc.
- What Information Does Northwestern Medicine Collect?
- How Does Northwestern Medicine Use Information?
- How Does Northwestern Medicine Share Information?
- Children’s Privacy
- Region-Specific Disclosures
- Links to Third-Party Websites
- Your Choices
- Contact Us
Information You Provide to Us
We collect information you provide directly to us. For example, we collect information when you: create an account or profile, use the interactive areas and features of the Services, subscribe to a newsletter or email list, participate in a survey or events, pay a bill, make a donation, apply for a job, request customer or technical support, or otherwise communicate with us.
The types of information we may collect from you include:
(a) Account Information, such as your name, email address, password, postal address, phone number, date of birth and any other information you choose to provide.
(b) Transaction Information, such as your health insurance information and limited payment information from you, such as payment method and payment card information; however, we do not collect or store full payment card numbers and all transactions are processed by our third-party payment processor.
(c) Information about Others, such as the names and the contact information of your providers, your proxies, and any dependents under your care.
(d) Supplier and Vendor Information, such as the names and contact information of our business partners.
(e) Educational and Professional Background, such as your employment history, cv, and academic history, when you apply for a job, research grant, or fellowship.
(f) Health Information, such as your past and present medical condition, medication information, and treatment history. For example, our Apps may collect COVID vaccination status, COVID test results and associated encounter information from you or your providers affiliated with Northwestern Medicine. The App may also provide functionality for you to upload a copy of your COVID vaccination card. Our limited use of COVID-related information and other health information is in accordance with our Notice of Privacy Practices.
(g) Other Information You Choose to Provide, such as when you participate in a survey, assessment, contest, promotion or interactive area of the Services or when you request technical or customer support.
Information We Collect Automatically When You Use the Services
When you access or use the Services, the types of information we may automatically collect about you include:
(a) Log Information: When you visit the Services, our servers automatically record certain log file information, such as your Internet Protocol (“IP”) address, operating system, browser type and language, referring URLs, access times, pages viewed, links clicked and other information about your activities on the Services.
(b) Mobile Device Information: We collect information about the mobile device you use to access or use the Services, including the hardware model, operating system and version, unique device identifiers, mobile network information and information about your use of our Apps. With your consent, we may also collect information about the precise location of your device and access and collect information from certain native applications on your device (such as your device’s camera, photo album, microphone, storage and phonebook applications) to facilitate your use of certain features of the Services. For more information about how you can control the collection of location information and/or our access to other applications on your device, please see “Your Choices” below.
(c) Information Collected by Cookies and Other Tracking Technologies: We and our service providers use various tracking technologies, including cookies and web beacons, to collect information about you when you interact with our Services. Cookies are small data files stored on your hard drive or in device memory that help us improve the Services and your experience, see which areas and features of the Services are popular, and count visits. Web beacons are electronic images that may be used in the Services or emails and help deliver cookies, count visits and understand usage and campaign effectiveness. For more information about cookies, and how to disable them, please see “Your Choices” below.
Information Collected from Other Sources
Northwestern Medicine uses the information about you for various purposes, including to:
- Provide, maintain and improve our Services and provide you with relevant information;
- Send you technical notices, updates, security alerts and support and administrative messages;
- Respond to your comments, questions and requests and provide customer service;
- Communicate with you about products and services offered by us and others, and to provide news and information we think will be of interest to you;
- Plan, administer and coordinate events, community groups and outreach activities;
- Process financial assistance applications and donations;
- Monitor and analyze trends, usage and activities in connection with our Services;
- Detect, investigate and prevent fraudulent transactions and other illegal activities and protect the rights and property of Northwestern Medicine and others;
- Maintain appropriate records for internal administrative purposes;
- Process applications for employment, fellowships, and grants; and
- Carry out any other purpose described to you at the time the information was collected.
Please note, our use of your PHI is explained in the Notice of Privacy Practices.
We may share information about you, including Personal Information, as follows, or as otherwise described in this Privacy Statement:
- With vendors, consultants and other service providers who need access to such information to carry out work or perform services on our behalf;
- In response to requests from local, state, provincial or federal law enforcement officials, any judicial, administrative or similar proceeding or order, such as a subpoena if we believe disclosure is in accordance with, or required by any applicable law;
- If we believe your actions are inconsistent with our user agreements or policies, or to protect the rights, property and safety of Northwestern Medicine and others;
- To investigate suspected fraud, harassment, physical threats, or other violations of any law, rule or regulation, the Services’ rules or policies, or the rights of third parties or to investigate any suspected conduct which we deem improper;
- In connection with, or during negotiations of, any merger, sale of company assets, financing or acquisition of all or a portion of our business by another company;
- Between and among Northwestern Medicine and our current and future parents, affiliates, subsidiaries, and other companies under common control and ownership;
- For recruitment in research studies. If you prefer not to be contacted by letter, phone, or email by a researcher not involved in your clinical care, you can contact Northwestern Medicine to be removed from the contact registry at 630-933-6528;
- With your consent or at your direction;
- To comply with transparency or other public reporting obligations; and
- As otherwise permitted or required by law.
Additionally, we may share COVID test result information with state registries when required, as well as with other outside organizations for whom you have linked your MyChart account or have otherwise given permission to share your data. For more information about how we share your PHI, please review our Notice of Privacy Practices.
We may also share aggregated or de-identified information, which cannot reasonably be used to identify you.
Northwestern Medicine is committed to protecting the privacy of children. You should be aware that this Websites and Apps are not intended or designed to attract children. In addition, we do not collect personal information from any person known by Northwestern Medicine to be a child under the age of 13.
We seek to use reasonable physical, technical, and administrative measures designed to protect personal information within our organization. Unfortunately, no data transmission or storage system can be guaranteed to be 100% secure. If you have reason to believe that your interaction with us is no longer secure (for example, if you feel that the security of your account has been compromised), please immediately notify us in accordance with the “Contacting Us” section below.
Additional Information for Individuals in the European Economic Area (“EEA”)
In addition to the aforementioned information, the following information applies to any individual located in the EEA. For the purposes of this section, any defined terms have the meaning under the European Union’s General Data Protection Regulation (“GDPR”). Northwestern Medicine and its corporate affiliates, each in its own capacity, acts as a “Data Controller” under the GDPR. Northwestern Medicine’s headquarters is located in the United States at 251 E. Huron St., Chicago, IL 60611.
Legal Basis of Processing
In this section, we identify the lawful ground we rely on for processing Personal Data.
If Northwestern Medicine relies on consent for the processing of Personal Data, we will provide transparent notice of the purposes for which we seek such consent at the time we collect your Personal Data.
If Northwestern Medicine wishes to process any special categories of Personal Data as set out in Article 9(1) of the GDPR, Northwestern Medicine may obtain your explicit consent for such processing.
|Contractual Necessity||Northwestern Medicine processes Personal Data to fulfill our contracts with our business partners and service providers, such as for rendering payment or communicating with health care professionals or consultants.|
|Legal Obligation||Northwestern Medicine may process Personal Data as specifically required by applicable legal obligations, such as laws and regulations that require Northwestern Medicine to process Personal Data for purposes of obtaining regulatory approvals and making transparency disclosures.|
Northwestern Medicine may process Personal Data for scientific or historical research purposes, or statistical purposes in the public interest, as authorized by applicable law.
If Northwestern Medicine wishes to process any special categories of Personal Data as set out in Article 9(1) of the GDPR, it may do so when necessary for scientific research purposes, medical diagnosis, or the protection of vital interests.
Northwestern Medicine may process Personal Data subject to its own legitimate interests, such as to facilitate treatment; to schedule appointments; to offer support programs; to offer community initiatives; to promote scholarly research; to develop, administer and support research; to operate, evaluate and improve our business; to process donations; to support our recruitment activities; to process job applications; or to facilitate a sale of assets or merger or acquisition.
|Compatible purposes||Northwestern Medicine may also process Personal Data for purposes that are compatible with those described above. Such purposes may include scientific research.|
The criteria used to determine the period for which Personal Data about you will be stored varies depending on the legal basis under which we process such Personal Data:
|Consent||For the period of time necessary to fulfill the underlying agreement with you, subject to your right, under certain circumstances, to have certain Personal Data about you erased (see Data Subject Rights below).|
|Contractual Necessity||For the duration of the contract plus some additional limited period of time that is necessary to comply with law or that represents the limitation period for legal claims that could arise from the contractual relationship.|
|Legal Obligation||For the duration of time that we are legally obligated to keep the information.|
|Public Interest||For the period of time necessary to fulfill the purposes of the business process in the public interest and for any period of time that may be required to document the public interest or business process under applicable law.|
|Legitimate Interests||For a reasonable period of time based on the particular interest, taking into account the fundamental interests and the rights and freedoms of the Data Subjects.|
We may face any threat of legal claim and in that case, we may need to apply a “legal hold” that retains information beyond our typical retention period. In that case, we will retain the information until the hold is removed, which typically means the claim or threat of claim has been resolved.
Transfer of Personal Data Outside of the EEA
Northwestern Medicine processes your Personal Data in the United States, which does not provide the same level of data protection as the EEA. Where your Personal Data is processed by Northwestern Medicine or third parties outside of the EEA, we will ensure that appropriate safeguards are in place to adequately protect your Personal Data, as required by applicable law, if the recipients are not located in a country with adequate data protection (as determined by the European Commission). Such safeguards may include the execution of standard contractual clauses; EU-US Privacy Shield framework; consent of the individual to whom the personal information pertains; or other safeguards permitted by applicable EEA requirements.
GDPR Data Subject Rights
Under the GDPR, in certain circumstances, an EEA-resident Data Subject has certain individual rights with respect to the Personal Data that we hold about them. In particular, you may have the right to:
- Request access to any data held about you;
- Ask to have inaccurate data amended;
- Request data held about you to be erased, provided the data is not required by Northwestern Medicine to perform a contract, protect its rights, interests or those of a third party, defend against a legal claim or to comply with applicable laws or regulations;
- Prevent or restrict processing of data which is no longer required; and
- Request transfer of appropriate data to a third party where this is technically feasible
Additionally, in the circumstances where you may have provided your consent to the collection, processing and transfer of your Personal Data for a specific purpose, you have the right to withdraw your consent for that specific purpose at any time. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.
To exercise any of these rights, please contact us using the contact details set out under the “Contact Us” heading below. As a resident of the EEA, you are also entitled to direct any complaints in relation to our processing of your Personal Data to your national or local data protection authority (i.e., your Supervisory Authority).
Our Services may reference or provide links to third-party websites. Other websites may also reference or link to our Services. Because these websites are not controlled by Northwestern Medicine, we are not responsible for the third-party websites. We encourage our users to be aware when they leave our Services to review the privacy policies posted on each and every website that collects personally identifiable information. Please be aware that Northwestern Medicine does not control, endorse, screen or approve, nor are we responsible for, the privacy policies or information practices of third parties or their websites or mobile applications. Visiting these other websites is at your own risk.
You may update, correct or modify information about you at any time by logging into your online account or by contacting us at 855.HLP.MYNM (855.457.6966) or by email at firstname.lastname@example.org. If you wish to deactivate your account, please email us at email@example.com, but note we may continue to store information about you as required by law or for legitimate business purposes.
Upon your request, we may send you information about Northwestern Medicine via email. You may unsubscribe from receiving marketing or other commercial emails from us by following the instructions included in the email. However, even if you opt-out of receiving such communications, we retain the right to send you non-marketing communications (such as important transaction information, or changes in website or mobile application terms).
With your consent, we may collect information about your actual location when you use our Apps. You may stop the collection of this information at any time by changing the settings on your mobile device, but note that some features of our Apps may no longer function if you do so. If you choose to enable and use location services for the App, your location data may be retained and used by the App’s location services vendor for a defined period of time.
Native Applications on Mobile Device
Some features of our Apps may require access to certain native applications on your mobile device, such as the camera and photo storage applications (e.g., to take and upload photos), microphone and the phonebook application. If you decide to use these features, your mobile device will ask for your consent prior to accessing the applications and collecting information. Note that you can revoke your consent at any time by changing the settings on your device. Please be advised of how this information is used, accessed, stored and shared:
|Camera||Our Apps allow you to use your camera to take new photos or to capture video in a recording that can be securely sent to your providers. The photos you take may be used to personalize your account or used as file attachments that are sent by you through our App. MyNM App may store data collected from the camera in your medical record.|
|Microphone||Our Apps allow you to use your microphone to capture audio associated with videos that you capture that can be securely sent to your providers. The videos you take may be used as file attachments that are sent by you through our App. MyNM App may store data collected from the microphone in your medical record.|
|Storage||Our Apps (including but not limited to the MyNM App) may access your device’s storage to read and write files you choose to use in the application. These files may be used as file attachments that are sent to your provider or they may be created from file attachments sent to you from your provider. Our Apps may store files uploaded from your device's storage in your medical record.|
|Phone Calls||Our Apps may allow you to use your phone to call phone numbers displayed in the App. The App will not store your call history or other call data.|
Cookies and Your Ad Choices
With your consent, we may send promotional and non-promotional push notifications or alerts to your mobile device. You can deactivate these messages at any time by changing the notification settings on your mobile device or within our Apps.
Northwestern Memorial HealthCare
Corporate Compliance and Integrity
541 N. Fairbanks
Chicago, Illinois 60611