Maryland Online Data Privacy Act (MODPA) Privacy Notice

References to “our,” “us,” “we,” or “Mercy” within this Privacy Notice are to Mercy Health Services, Inc., including its wholly owned subsidiaries and affiliates, to the extent that it provides services or operates in Maryland. This MODPA Privacy Notice only addresses the collection and use of personal information that is subject to the Maryland Online Data Privacy Act of 2024 (“MODPA”). References to “you” or “your” in this Privacy Notice refers to users of non-medical portions of Mercy facilities, users of Mercy’s publicly facing websites, and prospective, current, and former donors to the Foundation.

This MODPA Privacy Notice is in addition to, and does not replace, our Notice of Privacy Practices, which explains how we use and disclose our patients’ protected health information (“PHI”) under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Should there be a conflict between the terms of this MODPA Privacy Notice and the Notice of Privacy Practices with respect to PHI, the Notice of Privacy Practices will control. For the avoidance of doubt, MODPA explicitly excludes data that is protected by HIPAA. For more information on how Mercy uses and discloses PHI, please see our Notice of Privacy Practices.

We may obtain your personal information in a variety of ways, both online and offline. Examples include when you visit our facilities or our website (which would include www.mdmercy.com and www.stellamaris.org) or when you make a donation to the Mercy Health Foundation (“Foundation”). For more information on how we collect information via our website, please see our Website Terms of Use.

This MODPA Privacy Notice explains the types of personal data we collect, how we use it, who we disclose it to, how we protect it, and your legal rights. Please read the following carefully as it explains our views and practices regarding your personal data and how it is handled. “Personal data” means any information which identifies you, such as your name or phone number. “Personal data” also includes other information like your date of birth, gender, and ethnicity, which, when combined, identifies you. When data is stored in a way that does not identify you personally, it is not considered personal data. Aggregate or deidentified data or various types of publicly available data does not fall into the definition of “personal data.”

Processing of Personal Data

Categories of personal data you provide to us.

  • Contact information, such as your first and last name, salutation, nicknames, billing and mailing addresses, phone number, email address, and company name.
  • Payment information, such as credit card information or ACH information.
  • Interaction information including records relating to communications by email, phone, or other methods or records related to visits to our website.
  • Donor information
    • For non-patient donors: names of family members, family member addresses, publicly available donation history, records of participation in events
    • For patient donors: consistent with our Notice of Privacy Practices, as part of fundraising activities, Mercy may contact patients to make them aware of giving opportunities.
  • Professional or employment-related information, such as your job title or employer information.
  • Demographic information, such as race or gender.
  • Online identifiers, such as your IP address, MAC address, SSIDs, and other device or persistent identifiers, device characteristics (such as browser information), web server logs, and cookies.
  • Marketing information, such as your preferences for receiving our marketing communications and details about your engagement with them.
  • Audio, electronic, and visual information, such as photographs, video and voice recordings of conversations with you as permitted by law, and security camera recordings of your activity in or outside our facilities.

Purpose for collecting and processing personal data.

We primarily use your personal data in order to provide services that you have requested such as payment for parking or in our café or to solicit or process donations from you for the Foundation. Most commonly we will use your personal data to:

  • Process payment at our facilities
  • Engage in fundraising efforts and process donations for the Foundation
  • Respond to your request for information about services we provide
  • Ensure the safety of our personnel and facilities
  • Manage, develop, and enhance the website
  • Analyze website engagement and traffic
  • Engage in marketing activities

Some of the personal information described in the “Categories of Personal Information” section above also constitutes “sensitive data” under the MODPA. We use and disclose sensitive personal information for our business and compliance functions and for other legally authorized purposes.

Disclosure of Personal Data

We may disclose your personal data to the following categories of third parties:

  • Our service providers. We use other companies or contractors (service providers) to assist us with the provision of services. While we may use a service provider to assist in relation to any of the purposes for which we may collect personal information, they generally fit within one or more of the following categories of service providers:
    • Payment processors such as GoFundMe and major credit card providers.
    • Infrastructure and technology service providers such as cloud storage providers, donation management SaaS vendors, and vendors that manage our websites; or
    • Marketing, advertising, event, and communications providers.
  • External auditors, accountants, and legal and other professional advisors.
  • Government or regulatory authorities as required or permitted by law. We may disclose your personal information to other parties where disclosure is both legally permissible and necessary to protect or defend our rights, matters of national security, for law enforcement purposes, to enforce our agreements, or to protect your rights or those of the public.

Data Retention

We keep the categories of personal data described above for as long as necessary or permitted for the purposes described in this MODPA Privacy Notice or otherwise authorized by law. This generally means holding the information for as long as necessary to fulfill the purposes for which it was obtained, to manage our operations or your relationship with us, to protect or defend legal claims, or as we are otherwise required or permitted to keep your personal information by applicable laws or regulations.

Safeguarding your personal data

We take the security and protection of your personal data very seriously. To protect your personal information, we maintain physical, electronic, and procedural safeguards in keeping with industry standards and practices, and we review and adjust these safeguards regularly in response to advances in technology.

Your Privacy Rights

You have the following rights regarding your personal data (subject to certain exemptions):

 Right  Description
Right to Confirm Processing of Personal Data
  • You have the right to confirm if we are processing your personal data
Right of Access
  • You have the right to access your personal data
Right to Correct Inaccuracies
  • You have the right to correct inaccuracies in your personal data
Right to Obtain Copy of Personal Data in a Portable Format
  • If the processing of your personal data is done by automatic means, you have the right to obtain a copy in a portable format
Right to Delete
  • You have the right to request that we delete your personal data
Right to Obtain List of Categories of Third Parties to Whom Data is Disclosed
  • You have a right to obtain a list of the categories of third parties to which we have disclosed your personal data
Right to Withdraw Consent
  • Where you have given consent to the processing of your data, you have the right to withdraw your consent

We have the right to decline to act on requests that are manifestly unfounded, excessive, technically unfeasible, or repetitive.

If you wish to exercise any of these rights or to contact us with any questions about your personal data, please contact: MODPA@mdmercy.com

How an agent can make a request on your behalf:

  1. A parent or legal guardian of a child can exercise any of the rights listed in the chart above on behalf of the child.
  2. A guardian or conservator may exercise any of the rights listed in the chart above on behalf of a consumer.

How we handle requests we receive: We may need additional information in order to verify your identity before we are able to carry out your request. We will endeavor to respond to your request within 45 days but may extend our completion time period by an additional 45 days if it is reasonably necessary. Should we need to extend our response time, we will inform you of the reason.

How to appeal our decision: If we decline to act regarding your request, we will inform you of the justification no later than 45 days after receiving the request. We will provide information on how to appeal our decision.

Sale of personal data/targeted advertising

We do not sell personal data to third parties or process personal data for targeted advertising or for the purposes of profiling consumers in furtherance of decisions that produce legal or similarly significant effects.

Contact Us

Questions about this MODPA Privacy Notice or your personal data can be directed to MODPA@mdmercy.com

Date and Changes to This Privacy Notice

This MODPA Privacy Notice is the most recent version, and the date it was last updated is located below. We reserve the right to change our MODPA Privacy Notice as needed and you are advised to visit our website regularly to check for any amendments. If we make a change that we are required by law to inform you of in other ways (such as by email), we will do so.

Last updated: January 26, 2026