Digital Privacy Policy

Northwestern Medicine Digital Privacy Policy

Effective Date: May 11, 2022

Northwestern Memorial HealthCare respects your right to privacy. As used here, “Northwestern Medicine”, “we”, “us” or “our” means Northwestern Memorial HealthCare and, where appropriate, its corporate affiliates, including but not limited to Northwestern Memorial Hospital, Northwestern Medicine Lake Forest Hospital, Northwestern Medical Faculty Foundation (d/b/a Northwestern Medical Group), Northwestern Memorial Foundation, Northwestern Medicine Central DuPage Hospital, Northwestern Medicine Delnor Hospital, Central DuPage Physician Group (d/b/a Northwestern Medicine Regional Medical Group), Northwestern Medicine Kishwaukee Hospital, Northwestern Medicine Valley West Hospital, Marianjoy Rehabilitation Hospital, Rehabilitation Medicine Clinic, Inc. (d/b/a Marianjoy Medical Group), Northwestern Medicine Huntley Hospital, Northwestern Medicine McHenry Hospital, Northwestern Medicine Woodstock Hospital, Centegra Physician Care, Palos Community Hospital, Palos Health Surgery Center, LLC, Palos Imaging LLC, Palos Medical Group LLC and South Campus Partners, Inc.

This Privacy Policy discloses how we gather, use and disclose information about you when you access or use our website located at www.nm.org (the “Website”), the MyNM mobile applications (the “Apps”), and/or through our general business operations, excluding information about our employees and through our medical and healthcare services (“Operations”). When we refer to the Website, Apps, and Operations together, we will call them the “Services.” Please note that this Privacy Policy describes your information practices with respect to your use of the Services. This Privacy Policy does not apply to any other data gathered or used by Northwestern Medicine, including through websites not controlled or operated by Northwestern Medicine. This Privacy Policy is in addition to, and does not replace, our Notice of Privacy Practices, which explains how we use and disclose our patients’ protected health information (“PHI”) under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). To the extent of a conflict between the terms of this Privacy Policy and the Notice of Privacy Practices with respect to PHI, the Notice of Privacy Practices will control how we use and disclose your PHI. Please review the Notice of Privacy Practices that corresponds to the location where you are a patient.

Please review this Privacy Policy, which is incorporated into and made part of our Terms of Use. By accessing or using the Services, you consent to our collection, use and disclosure of your information in accordance with this Privacy Policy and Terms of Use. If you have any questions about our Privacy Policy or our Terms of Use, please contact us at compliance@nm.org. If you do not agree to our Privacy Policy or Terms of Use, you may not use the Services.

Northwestern Medicine reserves the right to change this policy from time to time without notice, so please check back periodically. If you use the Services after we post changes to this Privacy Policy, you accept and agree to be bound by the changed policy.

Please use the links below to jump to the sections of our Privacy Policy to learn more:

What Information Does Northwestern Medicine Collect?

Information You Provide to Us

We collect information you provide directly to us. For example, we collect information when you: create an account or profile, use the interactive areas and features of the Services, subscribe to a newsletter or email list, participate in a survey or events, pay a bill, make a donation, apply for a job, request customer or technical support, or otherwise communicate with us.

The types of information we may collect from you include:

(a) Account Information, such as your name, email address, password, postal address, phone number, date of birth and any other information you choose to provide.

(b) Transaction Information, such as your health insurance information and limited payment information from you, such as payment method and payment card information; however, we do not collect or store full payment card numbers and all transactions are processed by our third-party payment processor.

(c) Information about Others, such as the names and the contact information of your providers, your proxies, and any dependents under your care.

(d) Supplier and Vendor Information, such as the names and contact information of our business partners.

(e) Educational and Professional Background, such as your employment history, cv, and academic history, when you apply for a job, research grant, or fellowship.

(f) Health Information, such as your past and present medical condition, medication information, and treatment history. For example, our Apps may collect COVID vaccination status, COVID test results and associated encounter information from you or your providers affiliated with Northwestern Medicine. The App may also provide functionality for you to upload a copy of your COVID vaccination card. Our limited use of COVID-related information and other health information is in accordance with our Notice of Privacy Practices.

(g) Other Information You Choose to Provide, such as when you participate in a survey, assessment, contest, promotion or interactive area of the Services or when you request technical or customer support.

Information We Collect Automatically When You Use the Services

When you access or use the Services, the types of information we may automatically collect about you include:

(a) Log Information: When you visit the Services, our servers automatically record certain log file information, such as your Internet Protocol (“IP”) address, operating system, browser type and language, referring URLs, access times, pages viewed, links clicked and other information about your activities on the Services.

(b) Mobile Device Information: We collect information about the mobile device you use to access or use the Services, including the hardware model, operating system and version, unique device identifiers, mobile network information and information about your use of our Apps. With your consent, we may also collect information about the precise location of your device and access and collect information from certain native applications on your device (such as your device’s camera, photo album, microphone, storage and phonebook applications) to facilitate your use of certain features of the Services. For more information about how you can control the collection of location information and/or our access to other applications on your device, please see “Your Choices” below.

(c) Information Collected by Cookies and Other Tracking Technologies: We and our service providers use various tracking technologies, including cookies and web beacons, to collect information about you when you interact with our Services. Cookies are small data files stored on your hard drive or in device memory that help us improve the Services and your experience, see which areas and features of the Services are popular, and count visits. Web beacons are electronic images that may be used in the Services or emails and help deliver cookies, count visits and understand usage and campaign effectiveness. For more information about cookies, and how to disable them, please see “Your Choices” below.

(d) Analytics Services Provided by Others: We may allow others to provide analytics services on our behalf. These entities may use cookies, web beacons and other technologies to collect information about your use of the Services and other websites, including your IP address, web browser, pages viewed, time spent on pages, links clicked and conversion information. For example, we use analytics partners (such as Google Analytics) to help us analyze and track data, determine the popularity of certain content, deliver advertising and content targeted to your interests on the Services and other websites and better understand your online activity. For more information about how you may control the collection and/or use of information for analytics purposes, please see our separate Cookies Policy to learn about how we use cookies on the Site and your choices in relation to the use of cookies.

Information Collected from Other Sources

We may also obtain information about you from other sources. For example, if you have an existing medical record at another organization outside of Northwestern Medicine, you may be able to see your test results, along with other functionality, from within our Apps through MyChart. Additionally, you may be able to view your COVID-related information and test results from your outside organization, or from state registries, within our Apps. Once we combine information from other sources with your information collected pursuant to this Privacy Policy, we apply this Privacy Policy to the combined information as long as it is combined.

How Does Northwestern Medicine Use Information?

Northwestern Medicine uses the information about you for various purposes, including to:

  • Provide, maintain and improve our Services and provide you with relevant information;
  • Send you technical notices, updates, security alerts and support and administrative messages;
  • Respond to your comments, questions and requests and provide customer service;
  • Communicate with you about products and services offered by us and others, and to provide news and information we think will be of interest to you;
  • Plan, administer and coordinate events, community groups and outreach activities;
  • Process financial assistance applications and donations;
  • Monitor and analyze trends, usage and activities in connection with our Services;
  • Detect, investigate and prevent fraudulent transactions and other illegal activities and protect the rights and property of Northwestern Medicine and others;
  • Maintain appropriate records for internal administrative purposes;
  • Process applications for employment, fellowships, and grants; and
  • Carry out any other purpose described to you at the time the information was collected.

Please note, our use of your PHI is explained in the Notice of Privacy Practices

How Does Northwestern Medicine Share Information?

We may share information about you, including Personal Information, as follows, or as otherwise described in this Privacy Statement:

  • With vendors, consultants and other service providers who need access to such information to carry out work or perform services on our behalf;
  • In response to requests from local, state, provincial or federal law enforcement officials, any judicial, administrative or similar proceeding or order, such as a subpoena if we believe disclosure is in accordance with, or required by any applicable law;
  • If we believe your actions are inconsistent with our user agreements or policies, or to protect the rights, property and safety of Northwestern Medicine and others;
  • To investigate suspected fraud, harassment, physical threats, or other violations of any law, rule or regulation, the Services’ rules or policies, or the rights of third parties or to investigate any suspected conduct which we deem improper;
  • In connection with, or during negotiations of, any merger, sale of company assets, financing or acquisition of all or a portion of our business by another company;
  • Between and among Northwestern Medicine and our current and future parents, affiliates, subsidiaries, and other companies under common control and ownership;
  • For recruitment in research studies. If you prefer not to be contacted by letter, phone, or email by a researcher not involved in your clinical care, you can contact Northwestern Medicine to be removed from the contact registry at 630-933-6528; 
  • With your consent or at your direction;
  • To comply with transparency or other public reporting obligations; and
  • As otherwise permitted or required by law.

Additionally, we may share COVID test result information with state registries when required, as well as with other outside organizations for whom you have linked your MyChart account or have otherwise given permission to share your data. For more information about how we share your PHI, please review our Notice of Privacy Practices.

We may also share aggregated or de-identified information, which cannot reasonably be used to identify you.

We are based in the United States and the information we collect is governed by U.S. law. By accessing or using the Services or otherwise providing information to us, you consent to the processing and transfer of information in and to the U.S. and other countries, where you may not have the same rights as you do under local law. Where this is the case, we will take appropriate measures to protect information about you in accordance with this Privacy Policy.

Children's Privacy

Northwestern Medicine is committed to protecting the privacy of children. You should be aware that this Websites and Apps are not intended or designed to attract children. In addition, we do not collect personal information from any person known by Northwestern Medicine to be a child under the age of 13.

Security

We seek to use reasonable physical, technical, and administrative measures designed to protect personal information within our organization. Unfortunately, no data transmission or storage system can be guaranteed to be 100% secure. If you have reason to believe that your interaction with us is no longer secure (for example, if you feel that the security of your account has been compromised), please immediately notify us in accordance with the “Contacting Us” section below.

Region-Specific Disclosures

Additional Information for Individuals in the European Economic Area (“EEA”)

In addition to the aforementioned information, the following information applies to any individual located in the EEA. For the purposes of this section, any defined terms have the meaning under the European Union’s General Data Protection Regulation (“GDPR”). Northwestern Medicine and its corporate affiliates, each in its own capacity, acts as a “Data Controller” under the GDPR.  Northwestern Medicine’s headquarters is located in the United States at 251 E. Huron St., Chicago, IL 60611.

Legal Basis of Processing

In this section, we identify the lawful ground we rely on for processing Personal Data.

Consent

If Northwestern Medicine relies on consent for the processing of Personal Data, we will provide transparent notice of the purposes for which we seek such consent at the time we collect your Personal Data. 

If Northwestern Medicine wishes to process any special categories of Personal Data as set out in Article 9(1) of the GDPR, Northwestern Medicine may obtain your explicit consent for such processing. 

Contractual Necessity Northwestern Medicine processes Personal Data to fulfill our contracts with our business partners and service providers, such as for rendering payment or communicating with health care professionals or consultants.
Legal Obligation Northwestern Medicine may process Personal Data as specifically required by applicable legal obligations, such as laws and regulations that require Northwestern Medicine to process Personal Data for purposes of obtaining regulatory approvals and making transparency disclosures. 
Public Interest

Northwestern Medicine may process Personal Data for scientific or historical research purposes, or statistical purposes in the public interest, as authorized by applicable law.

If Northwestern Medicine wishes to process any special categories of Personal Data as set out in Article 9(1) of the GDPR, it may do so when necessary for scientific research purposes, medical diagnosis, or the protection of vital interests. 

Legitimate Interests

Northwestern Medicine may process Personal Data subject to its own legitimate interests, such as to facilitate treatment; to schedule appointments; to offer support programs; to offer community initiatives; to promote scholarly research; to develop, administer and support research; to operate, evaluate and improve our business; to process donations; to support our recruitment activities; to process job applications; or to facilitate a sale of assets or merger or acquisition.

It may be also necessary for Northwestern Medicine to process Personal Data to establish, exercise or defend against fraud, illegal activity, and claims and other liabilities, including by enforcing the Terms of Use that govern the services we provide.

Compatible purposes Northwestern Medicine may also process Personal Data for purposes that are compatible with those described above. Such purposes may include scientific research. 

Data Retention

We retain Personal Data for as long as is necessary to accomplish the purposes set out in this Privacy Policy, unless a longer period is required under applicable law or is needed to resolve disputes or protect our legal rights.

The criteria used to determine the period for which Personal Data about you will be stored varies depending on the legal basis under which we process such Personal Data:

Consent For the period of time necessary to fulfill the underlying agreement with you, subject to your right, under certain circumstances, to have certain Personal Data about you erased (see Data Subject Rights below).
Contractual Necessity For the duration of the contract plus some additional limited period of time that is necessary to comply with law or that represents the limitation period for legal claims that could arise from the contractual relationship.
Legal Obligation For the duration of time that we are legally obligated to keep the information.
Public Interest For the period of time necessary to fulfill the purposes of the business process in the public interest and for any period of time that may be required to document the public interest or business process under applicable law.
Legitimate Interests For a reasonable period of time based on the particular interest, taking into account the fundamental interests and the rights and freedoms of the Data Subjects.

We may face any threat of legal claim and in that case, we may need to apply a “legal hold” that retains information beyond our typical retention period. In that case, we will retain the information until the hold is removed, which typically means the claim or threat of claim has been resolved.

Transfer of Personal Data Outside of the EEA

Northwestern Medicine processes your Personal Data in the United States, which does not provide the same level of data protection as the EEA. Where your Personal Data is processed by Northwestern Medicine or third parties outside of the EEA, we will ensure that appropriate safeguards are in place to adequately protect your Personal Data, as required by applicable law, if the recipients are not located in a country with adequate data protection (as determined by the European Commission). Such safeguards may include the execution of standard contractual clauses; EU-US Privacy Shield framework; consent of the individual to whom the personal information pertains; or other safeguards permitted by applicable EEA requirements.

GDPR Data Subject Rights

Under the GDPR, in certain circumstances, an EEA-resident Data Subject has certain individual rights with respect to the Personal Data that we hold about them.  In particular, you may have the right to:

  • Request access to any data held about you;
  • Ask to have inaccurate data amended;
  • Request data held about you to be erased, provided the data is not required by Northwestern Medicine to perform a contract, protect its rights, interests or those of a third party, defend against a legal claim or to comply with applicable laws or regulations;
  • Prevent or restrict processing of data which is no longer required; and
  • Request transfer of appropriate data to a third party where this is technically feasible

Additionally, in the circumstances where you may have provided your consent to the collection, processing and transfer of your Personal Data for a specific purpose, you have the right to withdraw your consent for that specific purpose at any time.  Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.

To exercise any of these rights, please contact us using the contact details set out under the “Contact Us” heading below.  As a resident of the EEA, you are also entitled to direct any complaints in relation to our processing of your Personal Data to your national or local data protection authority (i.e., your Supervisory Authority). 

Links to Third-Party Websites

Our Services may reference or provide links to third-party websites. Other websites may also reference or link to our Services. Because these websites are not controlled by Northwestern Medicine, we are not responsible for the third-party websites. We encourage our users to be aware when they leave our Services to review the privacy policies posted on each and every website that collects personally identifiable information. Please be aware that Northwestern Medicine does not control, endorse, screen or approve, nor are we responsible for, the privacy policies or information practices of third parties or their websites or mobile applications. Visiting these other websites is at your own risk.

Your Choices

Account Information

You may update, correct or modify information about you at any time by logging into your online account or by contacting us at 855.HLP.MYNM (855.457.6966) or by email at mychart@nm.org. If you wish to deactivate your account, please email us at mychart@nm.org, but note we may continue to store information about you as required by law or for legitimate business purposes.

Newsletters

Upon your request, we may send you information about Northwestern Medicine via email. You may unsubscribe from receiving marketing or other commercial emails from us by following the instructions included in the email. However, even if you opt-out of receiving such communications, we retain the right to send you non-marketing communications (such as important transaction information, or changes in website or mobile application terms).

Location Information

With your consent, we may collect information about your actual location when you use our Apps. You may stop the collection of this information at any time by changing the settings on your mobile device, but note that some features of our Apps may no longer function if you do so. If you choose to enable and use location services for the App, your location data may be retained and used by the App’s location services vendor for a defined period of time.

Native Applications on Mobile Device

Some features of our Apps may require access to certain native applications on your mobile device, such as the camera and photo storage applications (e.g., to take and upload photos), microphone and the phonebook application. If you decide to use these features, your mobile device will ask for your consent prior to accessing the applications and collecting information. Note that you can revoke your consent at any time by changing the settings on your device.  Please be advised of how this information is used, accessed, stored and shared:

Features
Camera Our Apps allow you to use your camera to take new photos or to capture video in a recording that can be securely sent to your providers. The photos you take may be used to personalize your account or used as file attachments that are sent by you through our App.  MyNM App may store data collected from the camera in your medical record.
Microphone Our Apps allow you to use your microphone to capture audio associated with videos that you capture that can be securely sent to your providers. The videos you take may be used as file attachments that are sent by you through our App. MyNM App may store data collected from the microphone in your medical record.
Storage Our Apps (including but not limited to the MyNM App) may access your device’s storage to read and write files you choose to use in the application. These files may be used as file attachments that are sent to your provider or they may be created from file attachments sent to you from your provider. Our Apps may store files uploaded from your device's storage in your medical record.
Phone Calls Our Apps may allow you to use your phone to call phone numbers displayed in the App. The App will not store your call history or other call data.

Cookies and Your Ad Choices

Most web browsers are set to accept cookies by default. If you prefer, you can usually choose to set your browser to remove or reject browser cookies. Please note that if you choose to remove or reject cookies, this could affect the availability and functionality of the Services. Please see our separate Cookies Policy to learn about how we use cookies on the Site and your choices in relation to the use of cookies.

Push Notifications

With your consent, we may send promotional and non-promotional push notifications or alerts to your mobile device. You can deactivate these messages at any time by changing the notification settings on your mobile device or within our Apps.

Contact Us

If you have any questions about this Privacy Policy or concerns about the way Northwestern Medicine processes your information, or require assistance in managing your privacy choices, please get in touch with us at:

Northwestern Memorial HealthCare
Corporate Compliance and Integrity
541 N. Fairbanks
Chicago, Illinois 60611
compliance@nm.org
312.926.4800