Last Updated: January 23, 2023
The MyMSK Portal is owned and operated by Memorial Sloan Kettering Cancer Center (“MSK,” “we”, “our” or “us”). MSK is committed to the individual privacy of every visitor to our Portal.
What this Policy Covers
- The webpage that launches the MyMSK Portal;
The Information We Collect and Use
Patient medical records include patient health information known as Protected Health Information (“PHI”), which is regulated under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Please review our Notice of Privacy Practices for information on how we use and disclose your PHI.
When we use the term “Personal Data” we mean information, other than PHI, that we directly associate with a specific person, or that we can reasonably use to identify a specific person such as a name or email address. We collect and use information through your use of the Portal in the following ways.
1. Personal Data You Provide To Us
We collect Personal Data when you choose to share that information with us, including in the following ways.
All Portal Users:
- When you set up a Portal account, you will be asked to submit Personal Data such as your name, email address, phone number, and date of birth. We use this information to set up and administer your Portal account.
- When you communicate with health care providers or other MSK staff through the Portal, we collect the content of the communications and the metadata associated with those communications. We use this information to respond to your inquiries and facilitate communication.
- We may collect information and use it to manage how we communicate with you. For example, we may use your email addresses to alert you that you have a message waiting on the Portal.
- When you sign-up for events or content, we may collect your contact information, demographic information and communication preferences, which we use to manage how we communicate with you.
Patients and Proxy Users:
- Registered MSK or MMC patients (“Patient”) may choose to give other people access to their Portal account (“Proxy account”). If you are an MSK or MMC Patient or are registering for a Proxy account, when you set up a Portal account, you may also be asked to provide other Personal Data such as your mailing address, enrollment ID number, the Patient’s name, medical record number, and, if applicable, information related to a minor Patient’s parent or guardian, including the parent or guardian’s name, mailing address, email address and phone number.
- When you book appointments through the Portal, we collect information about your contact information, your health care professional and your appointment confirmation, which we use to facilitate scheduling the appointment and to send you appointment reminders.
- When you order prescription refills through the Portal we collect information about your medication, contact information and preferred pharmacy, which we use to facilitate your prescription renewal request.
- When you pay your medical bills through the Portal we will collect your payment information, insurance information, billing information and contact information, which we use to fulfill your payment, complete your transaction and deliver an invoice to you.
2. Information We Collect Automatically
The technologies we use to collect Personal Data and other information include the following:
- Web Log File Data. Like most other websites or mobile applications, we collect some basic information automatically about you and store it in log files. This information may include IP address, browser type, internet service provider, pages you visit from and pages you go to after leaving the Portal, pages you visit on the Portal (e.g., to access articles, videos, forms, and posts from MSK; to sign-up for events organized by MSK; and to communicate with MSK), date and time stamp, and clickstream data. We use this information for Portal management and administration, to improve the content, overall performance and user experience on the Portal, for fraud protection and for protecting our rights.
Most browsers allow you to turn off certain cookies if you do not want your preferences tracked. However, your cookie feature on your browser must be turned “on” so you can use the Portal. The “help” menu on most internet browsers contains information on how to control cookies, or you can visit www.aboutcookies.org/how-to-control-cookies/.
- Information for Analytics. We use analytics providers to help us collect and track certain information about your activity and level of interest in the Portal. We may combine this information with other information we have about you to help us improve the site and our service to you.
3. Additional Uses of Personal Data
In addition to the uses described above, we may, consistent with our other legal obligations, use your Personal Data for the following purposes:
- Maintaining, delivering and improving the Portal and our services;
- Contacting you to respond to your requests or inquiries and provide support;
- Send you technical notices, updates, security alerts and support and administrative messages;
- Contacting you about programs, products, or services that we believe may be of interest to you, new service announcements, or event invitations;
- Developing new resources and services;
- Conducting, managing and growing our business operations;
- Analyzing Patient experience as well as provider and hospital performance;
- Preventing, investigating and providing notice of fraud, unlawful or criminal activity or unauthorized access to or use of Personal Data, the Portal or our data systems, or to meet legal obligations;
- Investigating and resolving disputes and security issues and enforcing our MyMSK Portal Terms and Conditions; and
- Carry out any other purpose for which the information was collected.
How We Disclose Personal Data
We may disclose Personal Data collected through the Portal for the reason(s) provided to you at the time we collect it, with your authorization or consent, as well as in the following ways:
- Patients and Proxy Users. If a Patient chooses to give other people access to their Portal account as Proxy users, the Proxy users can view certain parts of the Patient medical record that are available through the Portal, such as the Patient’s treatment, test results, diagnostic and billing information, as well as other information available in the Patient’s Portal account.
- Third-Party Service Providers. We may disclose Personal Data with vendors who perform services on our behalf, including, but not limited to helping us manage the Portal, manage our communication channels and conduct analytics, providers involved in hosting and monitoring the Portal, payment processors, and pharmacy providers.
- Affiliates. We may disclose Personal Data between and among MSK and our current and future parents, affiliates, subsidiaries and other companies under common control and ownership.
- Legal Process, Safety and Terms Enforcement. We may disclose your Personal Data to legal or government regulatory authorities in response to a search warrant, subpoena, court order or other request for such information or to assist in investigations. We may also disclose your Personal Data to third parties in connection with claims, disputes or litigation, when otherwise required by law, if we determine such disclosure is necessary to protect the health and safety of us or our users or to enforce our legal rights or contractual commitments that users have made.
- Business Transfers. We may disclose Personal Data as a part of a corporate business transaction, such as a merger, acquisition, reorganization, divestiture, dissolution, joint venture or financing, bankruptcy or sale of all or a portion of our assets.
We seek to use reasonable physical, technical, and administrative measures designed to protect Personal Data within our organization. Unfortunately, no data transmission or storage system can be guaranteed to be 100% secure. If you have reason to believe that your interaction with us is no longer secure (for example, if you feel that the security of your account has been compromised), please immediately notify us as described in the “Contact Us” section below.
Links to Other Websites or Mobile Applications
How we Respond to “Do Not Track” Signals
Some web browsers have “Do Not Track” or similar features that allow you to tell each website you visit that you do not want your activities on that website tracked. At present, the Portal does not respond to “Do Not Track” signals and consequently, the Portal will continue to collect information about you even if your browser’s “Do Not Track” feature is activated.
Notice to Individuals Located in the EU/EEA
Please be aware that if you use the Portal to transfer your Personal Data to MSK in order to seek care at an MSK facility or a second opinion at MSK, you will be provided a copy of our EU Patient Notice and our Notice of Privacy Practices, which will govern our use of protected health information. The EU Portal Notice will not apply to MSK’s use of such information.
If our processing is based solely on consent, you have the right to withdraw your consent. You may withdraw your consent by contacting us as set forth in the “Contact Us” section below. Please note that, in certain cases, we may continue to process your Personal Data after you have withdrawn consent, if we have a legal basis to do so. For example, we may retain certain information if we need to do so to comply with an independent legal obligation, or if it is necessary to do so to pursue our legitimate interest in keeping the Portal safe and secure, or if deleting the information would undermine the integrity of a research study in which you are enrolled.
If your Personal Data is processed for EEA Processing Activities, you have the right to (1) see Personal Data that MSK holds about you and receive any details required to be provided to you under applicable law, (2) correct or update your Personal Data, if inaccurate, (3) limit collection and use of your Personal Data under certain circumstances (for example, if you think it is inaccurate), (4) receive your Personal Data in an electronic format as required by law, except Personal Data that has been used for public interest purposes or for MSK’s required legal obligations, (5) request deletion of your Personal Data, subject to MSK’s need to keep such data to comply with legal requirements, for purposes of public health or to preserve the integrity of a research study, or to allow itself to defend itself from legal claims, and (6) file a complaint with a data protection authority (see <http://ec.europa.eu/justice/data-protection/article-29/structure/data-p…;). If you have questions about the processing of your Personal Data or rights associated with your Personal Data, see the section “Contact Us” below.
You may request that we update, correct or delete information about you in the Portal, or close your account at any time by contacting us as described in the “Contact Us” section below. Please note that even if you close your account, we may retain certain information as required by law or for legitimate business purposes. We may also retain cached or archived copies of information about you for a certain period of time.
Native Applications and Push Notifications on Mobile Device
Some features of our App may require access to certain native applications on your mobile device, such as the camera and photo storage applications (e.g., to take and upload photos and videos). If you decide to use these features, we will ask you for your consent prior to accessing the applications and collecting information. Note that you can revoke your consent at any time by changing the settings on your device.
With your consent, we may send push notifications or alerts to your mobile device. You can deactivate these messages at any time by changing the notification settings on your mobile device or within our App.
If you need technical assistance with the Portal or have any other questions about using the Portal, you may contact the Portal Help Desk by using the Message Center found at https://my.mskcc.org or by calling 1(800) 248-0593 or 1(646) 227-2593.
Memorial Sloan Kettering Cancer Center
633 Third Avenue
New York, NY 10017
If you are in the European Union, you may address GDPR-related inquiries to our EU representative at:
Hopfenstr. 1d, 24114 Kiel, Germany
If you are in the United Kingdom, you may address UK GDPR privacy-related inquiries to our UK representative at:
DP Data Protection Services UK Ltd.
16 Great Queen Street, Covent Garden, London, WC2B 5AH, United Kingdom