Privacy of Health Information

Beneficiary Education Notice

Protecting Your Information on Mobile Apps
Patients and insurance plan members can use mobile apps to access their health information. It is important to take an active role in protecting your health information. Knowing what to look for when choosing an app can help you make an informed decision.

Look for an easy-to-read privacy policy that clearly explains how the app will use your data. Do not use an app until you have reviewed the privacy policy.

Some things you should also consider:

  • What company created this app? Companies that do not provide health care or health insurance may not be required to follow federal privacy rules. Does the app’s privacy policy talk about the Health Insurance Portability and Accountability Act (HIPAA) or other laws the company must follow?
  • What health data will this app collect? Will this app collect other data from your device, such as your location?
  • Will your data be stored without a way for others to identify you?
  • How will this app use your data?
  • Will this app give your data to third parties?
  • Will this app sell your data for any reason, such as advertising or research?
  • Will this app share your data for any reason? If so, with whom? For what purpose?
  • How can you limit this app’s use and disclosure of your data?
  • What security measures does this app use to protect your data? 
  • What impact could sharing your data with this app have on others, such as your family members?
  • How can you access your data and change it if it is incorrect?
  • Does this app have a process for collecting and responding to user complaints?
  • If you no longer want to use this app, or if you no longer want this app to have access to your health information, how can you stop the app’s access to your data?
  • What is the app’s policy for deleting your data once you stop access? Do you have to do more than just delete the app from your device?
  • How does this app let users know of changes that could affect its privacy practices? If the app’s privacy policy does not clearly answer these questions, rethink using the app to access your health information. Health information is very sensitive. Be careful to choose apps with strong privacy and security standards.

If the app’s privacy policy does not clearly answer these questions, rethink using the app to access your health information. Health information is very sensitive. Be careful to choose apps with strong privacy and security standards.

What should a member consider if part of an enrollment group?
Some health plan members may be part of an enrollment group where they share the same health plan as other members of their tax household. This is more common with members who are covered by Qualified Health Plans (QHPs) on Federally-facilitated Exchanges (FFEs). Often, the primary policyholder and other members can access information for all members of an enrollment group unless a request is made to restrict access to member data.

Members should be told how their data will be accessed and used if they are part of an enrollment group. This access and use is based on the enrollment group policies of their health plan in the state where they live.

Members who share a tax household but who do not want to share an enrollment group have the option of enrolling each household member into separate enrollment groups. This can even be done while applying for exchange coverage and financial assistance on the same application. But, this may cause higher premiums for the household and some members. For example, dependent minors may not be able to enroll in all QHPs in a service area if using their own enrollment group. It may also cause higher total out-of-pocket expenses if each member has to meet a separate annual limit on cost-sharing, such as your out-of-pocket maximum.

What are my rights under HIPAA, and who must follow HIPAA? 
The U.S. Department of Health & Human Services (HHS) Office for Civil Rights (OCR) enforces the HIPAA Privacy, Security and Breach Notification Rules and the Patient Safety Act and Rule.


Are third-party apps covered by HIPAA?
Most third-party apps are not covered by HIPAA. Instead, these apps are often controlled by the Federal Trade Commission (FTC) and the protections of the FTC Act. The FTC Act, among other things, protects against dishonest acts. For example, it would protect against an app sharing personal data without permission, even though there is a privacy policy that says it will not do so.


What should you do if you think someone has gained access to your data or an app has used your data in a way it should not have?
If you have a complaint about how Sanford Health Plan has used or disclosed your data, please contact us:

Sanford Health Plan
PO Box 91110
Sioux Falls, SD 57109-1110

Sanford Health Plan Customer Service
(800) 752-5863

Notice of Privacy Practices

This Notice Describes How Health Information About You May Be Used and Disclosed and How You Can Get Access to this Information, Please Review it Carefully.
This Notice applies to Sanford Health Plan. If you have questions about this Notice, please contact our Member Services Department at (800) 752-5863. You may also email your questions to

This Notice describes how we will use and disclose your health information. The terms of this Notice apply to all health information generated or received by Sanford Health Plan, whether recorded in our business records, your medical record, billing invoices, paper forms, or in other ways.


How we use and disclose your health information

We use or disclose your health information as follows: (In Minnesota we will obtain your prior consent):

  • Help manage the health care treatment you receive: We can use your health information and share it with professionals who are treating you. For example, a doctor may send us information about your diagnosis and treatment plan so we can arrange additional services.
  • Pay for your health services: We can use and disclose your health information as we pay for your health services. For example, we share information about you with your primary care physician to coordinate payment for those services.
  • For our healthcare operations: We may use and share your health information for our day-to-day operations, to improve our services, and contact you when necessary. For example, we use health information about you to develop better services for you. We are not allowed to use genetic information to decide whether we will give you coverage and the price of that coverage. This does not apply to long term care plans.
  • Administer your plan: We may disclose your health information to your health plan sponsor for plan administration. For example, your company contracts with us to provide a health plan, and we provide your company with certain statistics to explain the premiums we charge.

We may share your health information in the following situations unless you tell us otherwise. If you are not able to tell us your preference, we may go ahead and share your information if we believe it is in your best interest or needed to lessen a serious and imminent threat to health or safety:

  • Friends and Family: We may disclose to your family and close personal friends any health information directly related to that person’s involvement in payment for your care.
  • Disaster Relief: We may disclose your health information to disaster relief organizations in an emergency.

We may also use and share your health information for other reasons without your prior consent:

  • When required by law: We will share information about you if state or federal law require it, including with the Department of Health and Human services if it wants to see that we’re complying with federal privacy law.
  • For public health and safety: We can share information in certain situations to help prevent disease, assist with product recalls, report adverse reactions to medications, and to prevent or reduce a serious threat to anyone’s health or safety.
  • Organ and tissue donation: We can share information about you with organ procurement organizations.
  • Medical examiner or funeral director: We can share information with a coroner, medical examiner, or funeral director when an individual dies. Workers’ compensation and other government requests: We can share information to employers for workers’ compensation claims. Information may also be shared with health oversight agencies when authorized by law, and other special government functions such as military, national security and presidential protective services.
  • Law enforcement: We may share information for law enforcement purposes. This includes sharing information to help locate a suspect, fugitive, missing person or witness. Lawsuits and legal actions: We may share information about you in response to a court or administrative order, or in response to a subpoena.
  • Research: We can use or share your information for certain research projects that have been evaluated and approved through a process that considers a patient’s need for privacy.

We may contact you in the following situations:

  • Treatment options: To provide information about treatment alternatives or other health related benefits or Sanford Health Plan services that may be of interest to you.
  • Fundraising: We may contact you about fundraising activities, but you can tell us not to contact you again.


Your Rights That Apply To Your Health Information
When it comes to your health information, you have certain rights.

  • Get a copy of your health and claims records: You can ask to see or get a paper or electronic copy of your health and claims records and other health information we have about you. We will provide a copy or summary to you usually within 30 days of your request. We may charge a reasonable, cost-based fee.
  • Ask us to correct your health and claims records: You can ask us to correct health information that you think is incorrect or incomplete. We may deny your request, but we’ll tell you why in writing. These requests should be submitted in writing to the contact listed below.
  • Request confidential communications: You can ask us to contact you in a specific way (for example, home or office phone) or to send mail to a different address. Reasonable requests will be approved. We must say “yes” if you tell us you would be in danger if we do not.
  • Ask us to limit what we use or share: You can ask us to restrict how we share your health information for treatment, payment, or our operations. We are not required to agree to your request, and we may say “no” if it would affect your care.
  • Get a list of those with whom we’ve shared information: You can ask for a list (accounting) of the times we’ve shared your health information for six years prior, who we’ve shared it with, and why. We will include all disclosures except for those about your treatment, payment, and our health care operations, and certain other disclosures (such as those you asked us to make). We will provide one accounting a year for free, but we will charge a reasonable cost-based fee if you ask for another within 12 months.
  • Get a copy of this privacy notice: You can ask for a paper copy of this Notice at any time, even if you have agreed to receive it electronically. We will provide you with a paper copy promptly.
  • Choose someone to act for you: If you have given someone medical power of attorney or if someone is your legal guardian, that person can exercise your rights and make choices about your health information.
  • File a complaint if you feel your rights are violated: You can complain to the U.S. Department of Health and Human Services Office for Civil Rights if you feel we have violated your rights. We can provide you with their address. You can also file a complaint with us by using the contact information below. We will not retaliate against you for filing a complaint.

Contact Information:
Sanford Health Plan Customer Service Department
PO Box 91110
Sioux Falls, SD 57109-1110
(800) 752-5863

Our Responsibilities Regarding Your Health Information

  • We are required by law to maintain the privacy and security of your health information.
  • We will let you know promptly if a breach occurs that may have compromised the privacy or security of your health information.
  • We must follow the duties and privacy practices described in this Notice and offer to give you a copy. We will not use, share, or sell your information for marketing or any purpose other than as described in this Notice unless you tell us to in writing. You may change your mind at any time by letting us know in writing.

 Changes to this Notice

We may change the terms of this Notice, and the changes will apply to all information we have about you. The new Notice will be available upon request and on our website

Effective Date
This Notice of Privacy Practices is effective September 23, 2013.

Notice of Organized Health Care Arrangement for Sanford Health Plan
Sanford Health Plan and Sanford Health Plan of Minnesota have agreed, as permitted by law, to share your health information among themselves for the purposes of treatment, payment, or healthcare operations. This notice is being provided to you as a supplement to this Notice of Privacy Practices.

Confidentiality and Disclosure of Personal Health Information
Sanford Health Plan receives and maintains a great deal of personal health information about our Members and we protect the privacy of all patient information in accordance with state privacy and federal HIPAA regulations. We will share personal health information of Members as necessary to carry out treatment, payment, and health care operations as permitted by law.

We are required by law to maintain the privacy of our Members' personal health information and to provide Members with notice of our legal duties and privacy practices with respect to your personal health information.

No use or disclosure of personal health information may be made by any applicable person to a plan sponsor (i.e. employer) unless at least one of the following conditions is met:

  1. Sanford Health Plan receives a signed certification from the employer that the plan documents restrict the use and disclosure of personal health information as required by the HIPAA regulations on privacy and confidentiality, and that the employer agrees to comply with the restrictions, and the information has been requested by the employer for use in carrying out plan administrative functions only (i.e. employers must certify they do not use or disclose the information for employment-related actions and decisions);
  2. The information provided to the employer is summary health information, and the employer has requested it for the purpose of obtaining premium quotes, or determining whether to amend, modify or terminate the sponsored health plan (summary health information means personal health information that summarizes the claims history, claims expenses, or type of claims experienced by individuals for whom an employer has provided health benefits under a group health plan, and from which all individual identifiers are eliminated);
  3. The information provided to the employer is enrollment or disenrollment information or information on whether individuals are participating in the sponsored plan, and the employer has requested it for the purpose of administering the sponsored plan; or
  4. There is a signed authorization by the Member or the Member's representative which specifically authorizes the use or disclosure. A signed authorization form is required for uses by or disclosures to an employer if the use or disclosure does not meet the conditions described in paragraph 1, 2 or 3 above. Prior to any use by or disclosure to an employer under this paragraph 4, the procedures for obtaining and verifying authorization described in the policy for Obtaining and Complying With Member Authorizations must be followed.

Protection of Oral, Written and Electronic Information Across the Organization
All Members of our workforce are required to comply with the provisions of the Plan’s workforce policy on General Obligations Regarding Uses and Disclosures of Personal Health Information. We consider workforce to include employees (Part time, Full time, and PRN), volunteers, trainees, and other persons whose work performance is under the direct control of Sanford Health Plan, whether or not they are paid by Sanford Health Plan.

  • Personal health information of a Member may not be used within Sanford Health Plan for non-health plan functions, unless such use or disclosure is specifically authorized by a signed authorization by the Member.
  • When using, requesting or disclosing a Member's personal health information, all reasonable efforts are made to limit the information used, requested or disclosed to that which is minimally necessary to accomplish the purpose of the use or disclosure in accordance with our Minimum Necessary Policy. All workforce members must attend required educational and training sessions relating to privacy and confidentiality of personal health information.
  • All workforce members must take reasonable steps to safeguard personal health information from any intentional or unintentional use or disclosure that is in violation of this or any other policy of Sanford Health Plan. Such safeguarding includes, but is not limited to, storing personal health information in a cabinet or closed file at the end of the workday; maintaining privacy during oral discussions of personal health information; restricting electronic transmission of personal health information to job related duties; and disposing of documents strictly in accordance with policies of Sanford Health Plan.
  • Sanford Health Plan will take appropriate disciplinary measures against workforce members who violate any policy or procedure of Sanford Health Plan concerning the privacy of member information. Discipline for such infractions of our privacy policies and procedures may include reprimand, suspension, or discharge of the responsible workforce member, depending on the severity of the misconduct.