SMART Health IT Privacy Policy

Effective: July 1, 2021

Who We Are

SMART Health IT (“SMART”) is a real-world software, specifications, and health systems engineering project that designs, builds and implements fundamental building blocks of a robust health information economy, and supports the world in using them.

SMART includes a set of websites that give consumers general information about SMART Health Cards in an effort to address common questions and help people learn more about getting, saving, and sharing their health information in a safe, secure, and verifiable way. SMART also includes information for institutions seeking to learn more about developing, issuing, and verifying SMART Health Cards.

SMART is managed by an office of Boston Children’s Hospital, an affiliate of Harvard Medical School. When we refer to “we,” “us,” “our” and “BCH” throughout this Policy, we are referring to The Children’s Hospital Corporation, doing business as Boston Children’s Hospital.

Scope of this Policy

This Privacy Policy (“Policy”) applies to the “Services” which include only the following:

If you have any questions about this Privacy Policy or what it covers, please contact us through the options provided at the end of the Policy.

How We Collect and Use Personal Information

When we use the term “Personal Information” in this Privacy Policy, we mean any information that we directly associate with a specific person, or that reasonably can be used to identify a specific person. This includes, for example, your name, email address, phone number, and any other information we tie to these elements.

Personal Information does not include “aggregated information,” which is information that we collect about a group of people. It also does not include “de-identified information,” which is information from individual identifying information has been removed. This Privacy Policy does not apply to our collection, use, or disclosure of aggregated or de-identified information.

There are two categories of information that we collect through the Services.

  1. Personal Information You Provide

We collect the Personal Information that you provide to us, for example, when you enter the information into form fields on our Services. In particular, we may collect:

  • Contact information, such as your name, email address and phone number, which we use to communicate with you and respond to your requests and inquiries;
  • Communication preferences, which we use to manage how we engage with you; and
  • Inquiries you make, including the content of your voice and email messages, which we use to respond to your inquiries.

  • Information Collected Automatically

We use certain technologies on the Services to collect information that does not directly reveal your identity (“Other Information”). If we associate Other Information with Personal Information, we will treat the combined information as Personal Information in accordance with this Privacy Policy.

The technologies we use include the following:

Logging Functionality: As is true of most websites, we gather certain information automatically and store it in log files. This information may include IP addresses, browser type, internet service provider, referring/exit pages, operation systems, date/time stamp and/or clickstream data. We generally only use this data for purposes such as security, fraud detection and protecting our rights.

Cookies and Other Data Collection Technologies: We and our business partners and service providers use cookies, web beacons and similar technologies to manage our websites and email messages and to collect information about you and your visit to the Services. These technologies help us to recognize you and analyze the use of the Services and solutions for how to make them more useful to you. These technologies also allow us to aggregate statistical data and compilations of information, which may or may not include Personal Information, and provide this information to our service providers.

Most internet browsers allow you to remove or manage cookie functions and adjust your privacy and security preferences. For information on how to do this, access the “help” menu on your internet browser or visit

Analytics: We use analytics providers such as Google Analytics to help us evaluate and measure the use and performance of our Services. To opt out of the aggregation and analysis of the data collected about you on our Services by Google Analytics, visit and download and install the Google Analytics Opt-out Browser Add-on.

Additional Uses of Personal Information

In addition to the uses described above, we may use Personal Information for the following purposes:

  • Operating our SMART websites, maintaining, delivering and improving the Services, developing new products and services, and for any other lawful, legitimate business purposes;
  • Contacting you to respond to your requests and inquiries;
  • Preventing, investigating or providing notice of fraud, unlawful or criminal activity, or unauthorized access to or use of Personal Information, our website or data systems or to meet legal obligations; and
  • Enforcing our Terms of Use and other agreements.

How We Share and Disclose Personal Information

We share your Personal Information with third parties in the following ways.

Service Providers: Third party service providers who perform services on our behalf may have access to your Personal Information in the course of providing the services to us. These providers include IT services and support providers, as well as analytics providers and services providers who help us with responding to your requests. We typically require these service providers by contract to keep information confidential, and to only use the information on our behalf.

Affiliates: We may share your Personal Information with affiliated legal entities within the Boston Children’s Hospital family of companies for purposes and uses that are consistent with this Privacy Policy.

Legal Process, Safety and Terms Enforcement: We may disclose your Personal Information to legal or government regulatory authorities in response to their requests for such information or to assist in investigations. We may also disclose your Personal Information to third parties in connection with claims, disputes or litigation, when otherwise required by law, if we determine its disclosure is necessary to protect the health and safety of you or us or to enforce our legal rights or contractual commitments that you have made.

Business Transfers: Your Personal Information may be disclosed as a part of a corporate business transaction, such as a merger, acquisition, joint venture or financing or sale of company assets, and could be transferred to a third party as one of the business assets in such a transaction. It may also be disclosed in the event of insolvency, bankruptcy, or receivership.

Children’s Privacy

Our Services are not directed to, and we do not intend to, or knowingly, collect or solicit Personal Information online from children under the age of 13. We encourage parents or guardians to participate in and monitor their children’s online activity. If a child under 13 has provided Personal Information to us, we encourage the child’s parent or guardian to contact us as provided below to request that we remove the Personal Information from our systems. If you are under the age of 13, do not provide us with any Personal Information by any means.

How to Access, Update or Delete Your Information

You may contact us to request access, updates or deletions to your Personal Information through the contact information provided below. We will retain your Personal Information for a long as reasonably useful for our purposes consistent with the terms of this Privacy Policy and as necessary to comply with out legal obligations or data retention policy, to resolve disputes and to enforce our agreements.

Updates to the Privacy Policy

This Privacy Policy is subject to occasional revisions, and if we make any material changes in the way we use your Personal Information, we will notify you by prominently posting notice of the changes on the Services and updating the effective date of the Privacy Policy. Any changes to this Privacy Policy will be effective upon thirty calendar days following our posting of notice of the changes on the Services. If you do not wish to permit changes in our use of your Personal Information, you must notify us that you wish for us to delete your Personal Information prior to the effective date of the changes. Continued use of our Services, following such changes, will indicate your acknowledgement of and agreement to be bound by the changes.

How to Contact Us

If you have any questions or comments about this Privacy Policy or other privacy-related matters, you may contact us in the following ways:

Mailing Address: Boston Children’s Hospital 300 Longwood Avenue
Boston, MA 02115
Email Address: