Privacy Policy

Last Updated: April 13, 2023

Saint Luke’s Health System, Inc. (“Saint Luke’s”, “we”, “us” or “our”) respects your privacy and is committed to protecting it through our compliance with this policy. This Privacy Policy explains how we collect, use, and disclose information that we collect through the Saint Luke’s website, portals, mobile and desktop applications, email and messaging platforms, and any other websites we may provide that link to this Privacy Policy (collectively, our “Services”). By using the Services, you agree to accept this Privacy Policy.

Collection of Personally Identifiable Information and Protected Health Information

We and our service providers collect several types of information from users through our Services, including:

Personal information that relates to you, identifies you, or can reasonably be expected to identify you, such as name, address, job title, email address, telephone number or payment information, such as your credit card number, expiration date, and credit card security code (we refer to this type of information as “Personally Identifiable Information” or “PII”).

Personal information that relates to you, identifies you, or can reasonably be expected to identify you, in relation to past, present, or future health care services provided to you (we refer to this as “Protected Health Information” or “PHI”).

Collection of Personally Identifiable Information from Third Parties

If you access the Services from an advertisement on a third-party website, application, or other service (a “Third-Party Service”) we may receive information from the owner of the Third-Party Service related to you or that advertisement.

We may also receive information about you from other sources, including through third-party services and organizations. We may combine our first-party data, such as your email address or name, with third-party data from other sources and use this to contact you (e.g. through direct mail). For example, if you access third-party services, such as Facebook, LinkedIn, Google, or Twitter, through the Services to login to the Services or to share information about your experience on the Services with others, we may collect information from these third-party services.

Third Party Payment Service

We may use a third-party payment service to process payments or donations made through the Services. If you wish to make a payment or donation through the Services, your Personally Identifiable Information may be collected by such third party and not by us, and will be subject to the third party’s privacy policy, rather than this Privacy Policy. We are not responsible for the third party’s collection use and disclosure of your Personally Identifiable Information.

Personally Identifiable Information of Others

If you disclose any Personally Identifiable Information relating to other people to us or our service providers in connection with the Services, you represent that you have the authority to do so and to permit us to use the information in accordance with this Privacy Policy.

Collection of Other Information

We collect other information you provide to us that doesn’t reveal your specific identity (we refer to this as “Other Information”), which includes:

Information we collect automatically such as your computer’s Internet protocol (“IP”) address, device identifiers, browser type, operating system, Internet service provider, and other standard server log information.

Information collected through cookies.

Demographic or other information provided by you that doesn’t reveal your identity.

Aggregate information that doesn’t reveal your identity.

Location information such as your mobile device’s GPS signal, or information about nearby WiFi access points and cell towers.

Our Services Use Cookies

In addition to collecting information that you submit to us, we also rely on "cookies." A cookie is a text file that a website transfers to your hard drive for record-keeping purposes. Every computer is assigned a different cookie but our cookie does not contain or collect your name or other personal identifying information. When you revisit our Services, the cookie allows us to recognize you, your age, your gender, your interests and your preferences. We also use cookies to help track the level of interest in different features on our Services and to compile data that can help us improve our content.

Your browser software can be set to reject all cookies, including cookies from our Services. Most browsers offer instructions on how to reset the browser to reject cookies in the help section of the toolbar, such as the Google Analytics Opt-out Browser Add-on. If you would like to learn more about these practices, visit the Network Advertising Initiative.

If you reject our cookie, certain functions and conveniences of the Services may not work properly. By using the Services, you consent to our use of cookies and similar technologies. We do not currently respond to browser do-not-track signals.

Information Provided through Your Browser or Device

We may also collect technical data to address and fix technical problems and improve our Services. Your device or browser settings may permit you to control the collection of this technical data. By using the Services, you are consenting to us or any party acting on our behalf collecting this technical data.

Information Provided through Your Use of Applications

When you download and use our applications, we and our service providers may track and collect application usage data.

Physical Location

We may collect the physical location of your device by using satellite, cell phone tower or WiFi signals. We may use your device’s physical location to provide you with personalized location based services and content. In some instances, you may be permitted to allow or deny such uses and/or sharing of your device’s location, but if you do, we may not be able to provide you with the applicable personalized services and content.

HIPAA Policies

In addition to this Privacy Policy, Protected Health Information provided to us via the Services is also subject to our Notice of Privacy Practices. The Notice of Privacy Practices is a separate document that governs how medical information about you may be used and disclosed by us and also describes your rights with respect to your Protected Health Information. This Privacy Policy supplements the Notice of Privacy Practices. If there is ever any conflict between this Privacy Policy and the Notice of Privacy Practices as it relates to collection and use of Protected Health Information, the Notice of Privacy Practices will apply. The Notice of Privacy Practices does not apply to information that is not Protected Health Information.

How We Use Your Information

We strive to maintain your privacy, confidentiality and security at all times. Saint Luke’s uses the information you provide to us, including any Personally Identifiable Information to:

Present our Services and its contents to you

Provide you with information and services that you request from us, including Foundation-related fundraising activities

Personalize your experience and inform you about the services in which you have indicated an interest

Contact you and to respond to your questions

Carry out our obligations and enforce our rights arising from any contracts entered into between you and us, including for billing and collection

Send you information about additional services or general wellness from us or on behalf of our affiliates

Prevent potentially prohibited or illegal activities in accordance with our Terms of Use

Comply with applicable law

Communicate changes to our Privacy Policy and Terms of Use

For purposes of human resources recruiting and processing your employment application

In other ways we may describe when you provide the information

For any other purpose with your consent

In addition, we may use, disclose or transfer your information to a third party in the event of any reorganization, merger, sale or other disposition of all or any portion of our business or assets.

These are the limited ways we interact with your information, including any Personally Identifiable Information, in connection with our mobile applications:

When you choose to add a profile photo to our mobile apps, you may select an existing photo on your device or take a new photo using the camera app on your device. If you select an existing photo on your device, we store a copy of your chosen photo in app-private storage on your device. If you use the camera app on your device to take a new photo, the photo you take is first saved to your camera app and then also saved to app-private storage on your device. If you remove the photo from your profile or delete our mobile apps, the copy of the photo is deleted from the app-private storage, but the photo saved to your camera app remains available in your camera app until you choose to delete it. If you already have a photo stored in your profile through your healthcare organization – we do not interact with that photo in any way.

With your permission, our Services may connect to health apps such as Apple HealthKit or Google Fit to either: (1) receive health information and to share that information with your healthcare providers; or (2) provide your Protected Health Information to the third party app designated by you. We create encrypted identifiers to identify recipients of your Apple’s HealthKit or Google Fit data and store them on your device in app-private storage. If you choose to stop using Apple HealthKit or Google Fit or delete our mobile apps, the identifiers are deleted. We are not responsible for the information collection, use, disclosure or security policies or privacy practices of other organizations, such as Facebook, LinkedIn, Google, Apple, or Twitter or any other app developer, app provider, social media platform provider, operating system provider, wireless service provider, or device manufacturer, including with respect to any Personally Identifiable Information or Protected Health Information you disclose to other organizations through or in connection with the Services. We recommend you read the privacy policy of such organizations prior to sharing your information.

When you choose to view documents (such as letters or images) using our mobile apps, to make the files viewable for you we temporarily store copies on your device in app-private storage. The temporary copies are deleted when you close your session on our mobile apps.

When you choose to include a photo or video in a message you send to us using our mobile apps, you may select an existing photo or video from your device or take a new photo or video using the camera app on your device. If you use the camera app on your device to take a new photo or video, it will be saved to your camera app. Any photo or video saved to your camera app remains available in your camera app until you choose to delete it.

When you join a telehealth visit with your provider, we will ask for permission to access your device’s video and audio functionality to make the telehealth visit possible. We do not record or store video of audio data from these visits.

If you choose to enable the automatic appointment arrival functionality, we temporarily store identifiers and times for your upcoming appointments in app-private storage to detect when you arrive for an upcoming appointment. If you choose to stop using our mobile apps or you disable automatic appointment arrival, the identifiers are deleted.

You may choose to allow our mobile apps to interact with your location data for purposes of location-based check in for in-person appointments, or to find healthcare providers near you. We do not store your location data.

You may choose to allow our mobile apps to interact with your Bluetooth data for purposes of notifying front desk staff electronically when you arrive for an appointment, We do not store your Bluetooth data.

While you use our apps, we collect non-identifying information so we can provide customer service to you or your healthcare organization and understand how people use our mobile apps so we can improve our products. This information includes the time you began using the app, the healthcare organization you interacted with, any error messages or codes, the model of device used and its operating system, and the version of our mobile app used. If you use Android devices, we also collect your connection type (cellular or WiFi) during an error.

While you use our apps, if you choose to call a phone number displayed within the app, we will ask for permission to access your device’s phone to place a call to the phone number. We do not store your call history or data about the call.

You may contact us through the methods listed under the “Contacting Us” section below. If you contact us, we may keep a record of the communication. You can decide how much information you want to share with us in those cases.

For Android Users – Required Google Play Disclosures for Certain Health Apps:

Google has determined our mobile apps are subject to their COVID-19 apps requirements. As a result, we are required to provide the following information so we can make our mobile apps available to you in the Play store.

  • Our mobile apps interact with your microphone only if you choose to use your microphone to navigate our mobile apps. Our mobile apps interact with your camera roll only if you choose to add a profile image to a profile in our mobile apps. This information is not used in connection with COVID-19.
  • Our mobile apps access, collect, use, and share your information (including video, audio, images, files) as stated above in the section titled, “How We Use Your Information.” We also prominently highlight these uses, describe the type of data being accessed, and obtain your consent for these purposes as you use our mobile apps.
  • Our mobile apps were not created specifically for the COVID-19 pandemic. They existed before the COVID-19 pandemic to allow you to access certain information on file with us. You may access COVID-19-related vaccination information, laboratory test results, and documents with illness-related information using our mobile apps. You may choose if or how you want to access, display, or use the information – just like you can make those decisions about health information relating to other conditions, services, tests, or vaccinations.

Use and Disclosures of Other Information

We may use and disclose Other Information for any purpose, except where we are required to do otherwise under applicable law.

Our Security Measures

We use encryption practices and security controls that meet or exceed industry standards that are designed to help protect the confidentiality and integrity of the Personally Identifiable Information and/or Protected Health Information you provide to us.

You should, however, be aware that there is always some risk involved in transmitting information via the Internet.

Your Role, Responsibilities and Risks

Where you use a Service that is secured with a username and password, you are responsible for taking steps to protect the privacy of such credentials. In order to protect your privacy, you should:

Never share your username or password;

Always sign out when you are finished using the Service;

Use only secure web browsers;

Employ common anti-virus and anti-malware tools on your system to keep it safe;

Use a strong password with a combination of letters and numbers;

Change your password often; and

If you believe your login and/or password have been compromised change your password immediately and notify us in accordance with the “Contacting Us” section below.

If you share your username and password with another person, this will allow that person to see your confidential medical record information. We have no responsibility concerning any breach of your confidential medical record information due to your sharing or losing your user name or password.

Our Relationship with Third Parties

Additionally, we work with several types of third party vendors including those that provide products and services that we integrate into our Services and organizations that maintain the Services. These third-party vendors and service providers may not use your information for purposes other than those related to the services they are providing to us.

On occasion, Saint Luke’s may share the personal data you provide to us with other Saint Luke’s entities, affiliates and/or business partners who are acting on our behalf to help us provide you with our services. These relationships differ from our standard business partner relationship in which we license content or a product for integration. These situations include:

Sponsored or co-branded sites
We allow other companies to make services and/or content available to you, sometimes on a sponsored or co-branded basis. To access the services on a sponsored or co-branded website, you may have to complete an online registration form in addition to the registration you completed for us. Whenever you provide registration information on sponsored or co-branded websites, data can be collected. You should read the individual privacy policies of sponsored or co-branded sites and make an informed decision on whether or not you want to use the site.

External links
We feature external links to other websites that we believe you might find useful; however, we do not endorse these sites. Additionally, unless otherwise noted in this section, links to other sites are provided strictly for informational purposes and are not based on any fees or reimbursements paid to Saint Luke's Health System for “clicks.” We are not responsible for the privacy practices of these external sites. We will make every effort to notify you when you are leaving our site and we encourage you to read the privacy policy of each site you visit that may collect information or ask you to disclose personal information and/or health-related personal information.

Health Information Exchange

Health information exchanges make patient health information easily accessible between organizations. Saint Luke’s Health System participates in various electronic health information exchanges. Learn more at saintlukeskc.org/HIE.

Children's Policy

The Services are not directed to individuals under the age of 18 and we do not knowingly collect Personally Identifiable Information from individuals under 18. If we learn that we have inadvertently collected information from an individual under the age of 18, that information will be promptly and permanently removed from our servers.

Your Privacy Choices

To opt-out of data collection, make any changes or updates, or request that information be deleted, you have several choices:

Communications Opt-out
We may send you emails with information that we think you might find useful including promotions, announcements of new services and products, and newsletters on particular health topics. You may opt-out of marketing messages at any time by clicking the Unsubscribe link located in the footer of every email sent by Saint Luke’s Marketing Department or by calling Saint Luke’s Concierge at 816-932-5100. You may ask to have your medical record marked as “Do Not Solicit” during clinic or hospital registration. We will try to comply with your requests as soon as reasonably practicable. Please note we may still send you important administrative messages from which you cannot opt-out.

You may also participate in our personalized email reminder system through mySaintLuke’s that sends an email reminding you of certain health-related activities such as a doctor's visit or to schedule tests. If you decide, at any time, that you no longer wish to receive these emails you may update your notification preferences within the mySaintLuke’s patient portal.

You may also receive email notifications from other Saint Luke’s programs, such as patient satisfaction surveying, patient education, online appointment scheduling, Foundation, etc. Each program has a unique opt-out process which is communicated by the program.

For more information on opting-out of a Health Information Exchange (HIE), please visit saintlukeskc.org/HIE.

For more information on opting-out of SMS text messaging, please visit our SMS Text Messaging Terms of Service, saintlukeskc.org/text-message-help.

Remove or delete Personally Identifiable Information
You may remove previously provided Personally Identifiable Information collected in conjunction with our Services at any time by contacting us in writing at 901 E. 104th St., Mailstop 800-NE, Kansas City, Missouri 64131 or email webmaster@saint-lukes.org.

Users should be aware that it is not always technically possible to remove or delete the information you provide to us. We back-up our systems to protect information from inadvertent loss, and that means a copy of your Personally Identifiable Information may exist in a non-erasable form that may be difficult or impossible for us to locate. Nevertheless, upon receiving your request we will try to remove or delete all Personally Identifiable Information stored in the databases that we use for research and daily business activities. We will not intentionally disclose any Personally Identifiable Information stored in a non-erasable format after receiving your request for removal, except as required by law.

Remove or delete Protected Health Information

Removal of your Protected Health Information is subject to our Notice of Privacy Practices. There are certain restrictions on your ability to correct, update, or remove the Protected Health Information you enter into a personal health record. If your doctor or other health care professional has access to your personal health record and they add information to that record, your personal health record could be considered an official medical record for legal purposes. In this case, information cannot be deleted or removed, only updated or annotated. If you believe information contained in your medical record is incorrect, you may request an amendment to the information. To request an amendment to your personal medical records, read through the instructions contained within the Request For Amendment form located on the Compliance and Privacy page on the website. You may return the completed form in person to any Saint Luke’s Medical Record Department, submit the form through email at privacy@saintlukeskc.org or via mail to the mailing address listed on the form.

Retention Period

We will retain your Personally Identifiable Information for as long as needed or permitted in light of the purpose(s) for which it was obtained. The criteria used to determine our retention periods include: (i) the length of time we have a relationship with you and provide the Services; (ii) whether there is a legal obligation to which we are subject; or (iii) whether retention is advisable in light of our legal position.

International Users

The Services are controlled and operated by Saint Luke’s from the United States and are not intended to subject us to the law or jurisdiction of any state, country or territory other than that of the United States. By using the Services and providing us with information, you understand and agree that your information may be transferred to and stored on servers located outside your resident jurisdiction and, to the extent you are a resident of a country other than the United States, that you consent to the transfer of such data to the United States for processing by us in accordance with this Privacy Policy.

Changes to the Privacy Policy

We may update this Privacy Policy from time to time. When we update the Privacy Policy, we will revise the “Effective Date” date above and post the new Privacy Policy. Any changes will become effective when we post the revised Privacy Policy. Your use of the Services following these changes means that you accept the revised Privacy Policy. We recommend that you review the Privacy Policy each time you visit the Services to stay informed of our privacy practices.

Contacting Us

If you have any questions or comments regarding this Privacy Policy, please contact us at privacy@saintlukeskc.org or write us at Saint Luke's Health System: ATTN: System Privacy Officer, 901 E. 104th Street, Kansas City, MO 64131. Because email messages are not always secure, please do not include sensitive information in your emails to us.