> Skip repeated content

MyHSS Privacy Policy

Last Updated December 18, 2024

Hospital for Special Surgery and The Hospital for Special Surgery Fund, Inc. (collectively, “HSS”, “we,” “our,” or “us”) offers MyHSS as a mobile application available through the Apple App Store and Google Play (the “MyHSS App”) and as a web application available at https://myhss.hss.edu/MyHSS (collectively, “MyHSS”).

Any access to or use of MyHSS is subject to the terms and conditions of this privacy policy (this “Privacy Policy”) and the terms of use for MyHSS available at www.hss.edu/myhss-terms-of-use

(the “Terms of Use”), and is incorporated into and made a part of this Privacy Policy.

By downloading, accessing, or using MyHSS, or otherwise affirmatively acknowledging this Privacy Policy or the Terms of Use (e.g., by clicking “I Agree” in connection therewith), you accept and agree to be bound and acknowledge this Privacy Policy and the Terms of Use. This Privacy Policy together with the Terms of Use constitute a binding agreement between you and HSS. If you do not agree to this Privacy Policy or the Terms of Use, you may not download, access, or use MyHSS and must immediately uninstall and discontinue all access to and use of MyHSS.

Your online privacy is important to us and this Privacy Policy explains the types of information we gather, what we do with it, and how you may correct or change information that we may collect. This Privacy Policy describes the privacy practices for MyHSS.

This Privacy Policy applies to information we collect:

  • on MyHSS; or
  • electronic messages between you and MyHSS.

It does not apply to information collected by us offline or through any other means, including on any other external websites, including through the webview functionality of MyHSS.

For information about our privacy practices regarding Protected Health Information (“PHI”) that we collect through MyHSS, please refer to our Notice of Privacy Practices here https://www.hss.edu/notice-of-privacy-practices.asp. PHI is individually identifiable health information that is protected by the Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations (“HIPAA”). If there is a conflict between this Privacy Policy and the HSS Notice of Privacy Practices, if applicable, the Notice of Privacy Practices will apply. If you are an individual located in the European Union, United Kingdom, Iceland, Liechtenstein, or Norway, please refer to our General Data Protection Regulation Privacy Disclosures (“GDPR”) located here: https://www.hss.edu/files/GDPR-Privacy-Disclosures.pdf.

MyHSS is developed by Epic Systems Corporation; please refer to Epic’s Security and Privacy Policies (the “Epic Privacy Policy”) for more detailed information about the ways they may interact with your information to make your use of MyHSS possible. Please also refer to the Epic Privacy Policy for information regarding Epic’s data retention and deletion policy.

Please read this Privacy Policy carefully to understand our policies and practices regarding your information and how we will treat it. By accessing or using MyHSS, you acknowledge the terms of this Privacy Policy. This Privacy Policy may change from time to time (see Changes to Our Privacy Policy). Your continued use of MyHSS after we make changes is deemed to be acknowledgment of those changes, so please check this Privacy Policy periodically for updates.

Table of Contents

  • Collection of Your Information
    • Information that We Collect Automatically
    • Information that You Provide to Us
    • Use of Your Information
    • How We Disclose Your Information
  • Access to Your Own Information/Opt-Out
  • Our Commitment to Children's Privacy
  • Links to Other Sites
  • Third-Party Service Providers
  • Security
  • Legal Disclaimer
  • Changes to this Policy
  • Contact Us

Collection of Your Information

The goal of MyHSS is to allow HSS patients to, among other actions:

  • Correspond securely with HSS providers;
  • Access your medical record, billing record and test results;
  • Schedule appointments with specialists you have seen before or new specialists, in person or virtually;
  • View details of past and upcoming appointments;
  • Complete pre-check forms and other appointment-related questionnaires;
  • Respond to patient surveys; and
  • Access HSS-produced content and resources related to our services, educational and research activities, and our physicians and other healthcare providers

We collect information about our users to understand their interests in order to update the information we provide. To the extent that any of the Personal Information (as defined below) addressed in this Privacy Policy constitutes PHI, HSS’s use and disclosure of such Personal Information will be governed not only by this Privacy Policy but also by the HSS Notice of Privacy Practices, available at https://www.hss.edu/notice-of-privacy-practices.asp.

Generally

We may collect several types of information from and about users of MyHSS, specifically information:

  • that alone or when in combination with other information may be used to readily identify, contact, or locate an individual including information such as name, postal address, billing address, work address, shipping address, geolocation (when accessing location services), e-mail address, home, work, and mobile telephone numbers, MyHSS account information and numbers, date of birth, credit or debit card number (for payment purposes only), biometrics, information about your race and ethnicity, gender identity, sex assigned at birth, sexual orientation and information regarding your religious beliefs (“Personal Information”);
  • about your access and use of MyHSS, including traffic data, location data, logs, referring/exit pages, date and time of your use of MyHSS, error information, clickstream data, and other communication data and the resources that you access and use on MyHSS;
  • about your use of HSS services, including medical or wellness services, to the extent that such information becomes part of your electronic medical record stored in Epic (“EMR”);
  • about your health and fitness when collected through Apple’s HealthKit, Google Fit, Fitbit or other similar health data applications that you choose to connect with MyHSS; and/or
  • about your internet connection, the equipment you use to access MyHSS and usage details.

We may collect this information:

  • directly from you when you provide it to us;
  • automatically as you navigate through MyHSS; and
  • from third-parties, for example, our business partners or service providers.

Information that We Collect Automatically. Each time a user comes to or uses MyHSS, we automatically collect some information to help us assess what users wish to know. We collect a user’s IP address(es) and the types of domains from which the user visits MyHSS (for example, whether the user logged on from a .com, .gov, .edu, or other domain), referral data (for example, the address of the last URL a user visited prior to clicking through to MyHSS), browser and platform type (for example, a Microsoft browser or an Apple platform), and information regarding how frequently our users request or indicate an interest in certain types of information on MyHSS. We collect this information to improve our content and keep it in line with the needs of our users. We will use this information to direct our efforts to better meet the needs of our users, by analyzing how often users are accessing certain features of MyHSS.

Information that You Provide to Us. MyHSS may also collect Personal Information about you that you provide to us and/or Personal Information, including health and demographic information, we may gather in preparation for, at or in relation to your visiting our facilities, including medical facilities. We use that Personal Information for the purpose of providing information, services, or materials to you that you have requested, unless you specifically consent to (or, if required by applicable law, authorize in writing) other uses of your information. When you register for use of MyHSS, we will require that you provide your name and e-mail address, and may also require that you provide additional information, such as your address, and indication of your affiliation with HSS. In some cases, HSS uses a third-party identity verification provider such as Experian, and this third-party may request additional information to verify your identity in connection with your registration for MyHSS. HSS, however, does not receive the information that users provide to such third-parties. We use the information that you provide to us to improve your experience on MyHSS and to enable you to maintain and gain access to your specially personalized areas of MyHSS. We share your Personal Information with authorized HSS employees and staff, health care providers affiliated with HSS, certain third-party vendors who provide services to HSS (as described more fully below), and other third-parties as required by applicable law. We do not otherwise share your Personal Information without your consent (or, if required by applicable law, written authorization).

Health Information

As mentioned above, our collection of Personal Information may include our collection of your health information, including, but not limited to, sensitive health information such as sexually transmitted diseases (e.g., HIV) and/or reproductive health diagnoses or treatments, to the extent such information becomes part of your EMR at any time when you are under the care of a healthcare provider at HSS (which may include your provision of such information in advance of an appointment), or if you otherwise provide such information to us through MyHSS. MyHSS gives you the ability to view and share health information which is stored in the EMR, communicate with your healthcare providers, schedule appointments, learn about health and wellness, and other related activities.

Use of Your Information

We may use information that we collect about you or that you provide to us, including any Personal Information:

  • to present MyHSS to you;
  • to provide you with information, products, or services that you request from us;
  • to enhance your experience, for example, by personalizing your experience when you use MyHSS, such as by tailoring content and remembering your preferences;
  • to process, fulfill, and administer transactions and orders for products and services ordered by you;
  • to contact you in response to a request;
  • to fulfill any other purpose for which you provide it;
  • to verify your identity;
  • to carry out our obligations and enforce our rights arising from any contracts entered into between you and us, including for billing and collection;
  • to notify you about changes to MyHSS, or any products or services we offer or provide though them;
  • in any other way we may describe when you provide the information; and
  • for any other purpose with your consent.

We may also use your information to contact you about goods and services that may be of interest to you, including through newsletters that you request. If you wish to opt-out of receiving such communications, you may do so at any time by clicking unsubscribe at the bottom of these communications.

Additional Features

We include below additional features which you may access based on the specific actions you take on MyHSS. Some of these features are only available if you use the mobile application version of MyHSS.

If you choose to add a profile photo to MyHSS, you may select an existing photo on your device or take a new photo using the camera app on your device. If you select an existing photo on your device, we store a copy of your chosen photo in app-private storage on your device. If you use the camera app on your device to take a new photo, the photo you take is first saved to your camera app and then also saved to app-private storage on your device. If you remove the photo from your profile or delete MyHSS, the copy of the photo is deleted from the app-private storage, but the photo saved to your camera app remains available in your camera app until you choose to delete it.

When you choose to include a photo or video in a message you send to us using MyHSS, you may select an existing photo or video from your device or take a new photo or video using the camera app on your device. If you use the camera app on your device to take a new photo or video, it will be saved to your camera app. Any photo or video saved to your camera app remains available in your camera app until you choose to delete it.

When you choose to use My CareGuide (a custom HSS tool that acts as an extension of MyHSS), we may collect certain information about your device, logins, content accessed, and timestamps of content accessed in order to allow us to personalize your experience and create customized content for personalized care leading up to and after surgery.

When you choose to use Apple’s HealthKit, Google Fit, Fitbit or other similar health data applications, we create encrypted identifiers to identify recipients of such application’s data and store them on your device in app-private storage. If you choose to stop using such application or delete MyHSS, the identifiers are deleted.

When you choose to view documents from your healthcare provider at HSS (such as letters or images) using MyHSS, to make the files viewable for you we temporarily store copies on your device in app-private storage. The temporary copies are deleted when you close your session on MyHSS.

If you enable automatic appointment arrival, we temporarily store identifiers and times for your upcoming appointments in app-private storage to detect when you arrive for an upcoming appointment. If you choose to stop using MyHSS or you disable automatic appointment arrival, the identifiers are deleted.

We may provide functionality that offers location-based check in for in-person appointments, or allows you to find healthcare providers near you. You may choose to allow MyHSS to interact with your location data for those purposes. We do not store your location data.

If we allow you to notify front desk staff electronically when you arrive for an appointment, you may choose to allow MyHSS to interact with your Bluetooth data for this purpose. We do not store your Bluetooth data.

While you use MyHSS, we collect non-identifying information so we can provide customer service to you and understand how people use MyHSS so we can improve our products. This information includes the time you began using MyHSS, any error messages or codes, the model of device used and its operating system, and the version of MyHSS used. If you use Android devices, we also collect your connection type (cellular or WiFi) during an error.

You may contact us through the methods listed under “Contact Us” below. If you contact us, we may keep a record of the communication. You can decide how much information you want to share with us in those cases.

MyHSS interacts with your microphone only if you choose to use your microphone to navigate MyHSS. MyHSS interacts with your camera roll only if you choose to add a profile photo to a profile in MyHSS.

When you join a visit with your provider, we will ask for permission to access your device’s video and audio functionality to make the telehealth visit possible. We do not record or store video or audio data from these visits.

While you use MyHSS, if you choose to call a phone number displayed within MyHSS, we will ask for permission to access your device’s phone to place a call to the phone number. We do not store your call history or data about the call.

MyHSS may access, collect, use, and share your information (including video, audio, images, files, phone) as stated above in the section titled, “Additional Features.” We also prominently highlight these uses, describe the type of data being accessed, and obtain your consent for these purposes as you use MyHSS.

How We Disclose Your Information

We do not share, sell, or otherwise disclose your Personal Information for purposes other than those outlined in this Privacy Policy (and, with respect to Personal Information that constitutes PHI, our Notice of Privacy Practices). However, we may disclose aggregated information about our users, and information that does not identify any individual, without restriction.

We may disclose Personal Information that we collect or you provide as described in this Privacy Policy:

  • to contractors, service providers, and other third-parties we use to support our business. The services provided by these organizations include providing IT and infrastructure support services; app operation, app hosting, and providing analytics services; and fraud prevention, fulfillment, billing, ordering, marketing, and payment processing services;
  • to a buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, or other affiliation, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which Personal Information held by HSS about users of MyHSS are among the assets transferred;
  • to fulfill the purpose for which you provide it (for example, we may disclose your Personal Information to a healthcare provider);
  • for any other purpose disclosed by us when you provide the information; and,
  • to third-parties, including outside companies, organizations or individuals, when we have your consent to do so.

We may also disclose your Personal Information:

  • to comply with any court order, law, or legal process, including to respond to any government or regulatory request;
  • to enforce or apply our MyHSS Terms of Use and other agreements, including for billing and collection purposes; and
  • if we believe disclosure is necessary or appropriate to protect the rights, property, or safety of HSS, our customers, or others (including the exchange of information with other companies, organizations or government entities for the purposes of fraud protection, credit risk reduction, or to prevent or address criminal activity).

Instances when we collect Personal Information from you through MyHSS, and how we may use and/or disclose that information in those instances, include, without limitation:

  • Electronic Communication with HSS Healthcare Providers and Medical Staff.
    • Via MyHSS Messaging. If you send information to your HSS healthcare provider through the MyHSS messaging function, any Personal Information you send will become part of your medical record and subject to access by other HSS healthcare providers or medical staff involved with your care, subject to applicable laws, including HIPAA.
  • Request Medical Records. If you request a copy of your medical records, you will be prompted to download a form where you will be asked to provide the dates of the requested records, the information that you would like to be included in these records, and who you would like the records to be sent to. This information will be shared with HSS, in order to provide you with a copy of your requested medical records.
  • Pay Your Bill as a Guest. If you use our bill pay feature to pay your bills as a guest, available at https://myhss.hss.edu/MyHSS/billing/guestpay/payasguest, we will ask you to provide certain information (including a guarantor ID from your statement and your last name) to identify the facility at which you received treatment and your account balance. The bill pay feature will allow you to pay any current amounts due, the full outstanding balance, or a different amount of your choice, using a credit card or bank account of your choice. A secure server sends your credit card or bank account data to a third-party transaction processing service.
  • Use of "Cookies". A "cookie" is a small data file that websites store on your hard drive when you visit them. MyHSS uses strictly necessary cookies for security, authentication, and to allow MyHSS to function. MyHSS uses two types of cookies: session and persistent. Session cookies are cookies that are only present as long as the user’s session is active. When the session ends, the cookie is cleared. Persistent cookies are cookies that remain on the browser even after the session is ended. For a full table of the cookies that MyHSS uses, as well as the type of cookie and a description of what each cookie used for, please refer to the Epic Privacy Policy. These cookies are necessary for the function of MyHSS and you are unable to decline them.

Access to Your Own Information/Communication Preferences

If you would like to review the Personal Information collected about you through MyHSS, you may contact us at the contact information provided below (“Contact Us”).

You may also, at any time, login to your MyHSS account to adjust your settings regarding the manner in which you receive communications and notifications from MyHSS.

Our Commitment to Children's Privacy

Protecting the privacy of children is important to HSS. We do not knowingly collect, maintain or use information provided by children under the age of twelve (12) years of age through MyHSS except in connection with proxy access for parents or legal guardians, as described in the MyHSS Terms of Use.

Links to Other Sites

In order to provide our users with other valuable information, MyHSS contains links to external websites, which may be accessed outside of MyHSS or through the webview functionality of MyHSS. Unless otherwise indicated, HSS does not control the content that appears on linked websites that are not clearly identified as HSS websites. When you access a link to an HSS website through MyHSS’s destination links, you should review the HSS website Terms of Use and Privacy Policy, as these documents govern the use and disclosure of information collected through those websites. When you access a link to a third-party website through MyHSS’s destination links, you should review that third-party website's Terms of Use and Privacy Policy, as these documents govern the use and disclosure of information collected through those websites. Links to websites are provided only for your convenience and, accordingly, you access these linked websites at your own risk. However, we try to ensure the integrity of MyHSS and our destination links, so any comments pertaining to MyHSS or any websites accessed through MyHSS’s destination links would be greatly appreciated. HSS exercises no authority over and is not responsible for any of these linked third-party websites, each of which maintains independent privacy and data collection policies and procedures, and each of which is responsible for its own content. These websites may send their own cookies to you, and may collect information from you and use it in a way that may be inconsistent with this Privacy Policy (which applies only to MyHSS).

Third Party Service Providers

MyHSS is substantially developed and maintained by Epic Systems Corporation; please refer to Epic’s Mobile Application Privacy Policy for Patients for more detailed information about the limited ways they may interact with your information to make your use of MyHSS possible. In addition, MyHSS may direct you to applications of third-party service providers who provide information and services to you on our behalf, including but not limited to services relating to telehealth, and access of health records or test results. For example, MyHSS may direct you to a third-party application to access images of test results. These third-party service providers of such applications may each maintain separate privacy policies and terms of use that you should review before using such application. For information about how we limit our third-party service providers’ collection and use of PHI, please refer to our Notice of Privacy Practices here https://www.hss.edu/notice-of-privacy-practices.asp.

Security

MyHSS uses a variety of measures to maintain the security of your Personal Information. Protocols have been developed to comply with the security requirements of government agencies and commercial organizations.

MyHSS is secured to preserve the privacy of your Personal Information. However, please remember that no transmission of data over the Internet or any wireless network (for example, a publicly accessible WiFi Hotspot in a coffee shop or airport) can be guaranteed to be 100% secure. In addition, our security is dependent upon your efforts to protect the security of any device you use to access MyHSS, including any wireless network you use, and also the confidentiality of the password you use to access MyHSS. As a result, while we strive to protect your Personal Information, MyHSS cannot guarantee the absolute security of any information that you transmit to us or receive from us, and you therefore agree to use MyHSS at your own risk. Once we receive your transmission, we do make reasonable efforts to ensure its security on our systems. All Personal Information about you that HSS creates, receives, stores, or transmits through MyHSS is covered by our Privacy Policy.

We take steps to help protect the integrity of any credit card information you submit to and through MyHSS. As noted above, we use third parties to facilitate confidential online business transactions, which includes, without limitation, billing and collecting for healthcare services you receive. When linking through MyHSS, your credit card information is encrypted using secure socket layer (SSL) technology and sent to the applicable third party server. The third party uses security technologies to facilitate secure on-line transactions and to protect your credit card information when it transfers it to the appropriate financial institutions. In some cases, HSS may have access to information maintained by the third party. In such instances, access to the third party database by designated HSS employees and officers is limited to those with a need to know such information, through the use of restricted passwords.

Legal Disclaimers

Although we make efforts to preserve user privacy, we may need to disclose Personal Information when required by law or when we have a good faith belief that such action is necessary to comply with a judicial proceeding, a court order, or other legal process. In addition, we reserve the right to report to law enforcement agencies any activities that we reasonably believe to be unlawful, and to release to such agencies information about users of MyHSS who we reasonably believe to be engaged in or involved with such activities.

Finally, in the event that HSS is (or all or substantially all of our assets are) acquired by a third-party, merges or affiliates with a third-party, or is bankrupt or ceases operations and dissolves, you should expect that any information you submitted through MyHSS may be disclosed to a third-party in connection with such business transaction, and will be transferred to a third-party.

Changes to this Policy

MyHSS may update this Privacy Policy from time to time by posting revisions to this Privacy Policy on this page.

We encourage you to check this page regularly. If you provide information to us, access, or use MyHSS in any way after this Privacy Policy has been changed, you will be deemed to have consented and agreed to such changes. The most current version of this Privacy Policy will be available on the page at all appropriate times and will supersede all previous versions of this Privacy Policy.

Your continued use of MyHSS after changes to this Privacy Policy are posted constitutes acceptance of each revised Privacy Policy regarding any information that we collect from you after the Privacy Policy is posted. If you do not agree to the terms of this Privacy Policy or any revised Privacy Policy, please do not use MyHSS.

Contact Us

If you have questions or concerns regarding this Privacy Policy, you should contact the HSS Web Director by e-mail at webmanager@hss.edu, fax at (212) 774-7240, or mail to Web Director, Hospital for Special Surgery, 535 East 70th Street, New York, NY 10021.