Privacy of Health Information

Protecting Your Information on Mobile Apps
Patients and insurance plan members can use mobile apps to access their health information. It is important to take an active role in protecting your health information. Knowing what to look for when choosing an app can help you make an informed decision.

Look for an easy-to-read privacy policy that clearly explains how the app will use your data. Do not use an app until you have reviewed the privacy policy.

Some things you should also consider:

• What company created this app? Companies that do not provide health care or health insurance may not be required to follow federal privacy rules. Does the app’s privacy policy talk about the Health Insurance Portability and Accountability Act (HIPAA) or other laws the company must follow?
• What health data will this app collect? Will this app collect other data from your device, such as your location?
• Will your data be stored without a way for others to identify you?
• How will this app use your data?
• Will this app give your data to third parties?
• Will this app sell your data for any reason, such as advertising or research?
• Will this app share your data for any reason? If so, with whom? For what purpose?
• How can you limit this app’s use and disclosure of your data?
• What security measures does this app use to protect your data? 
• What impact could sharing your data with this app have on others, such as your family members?
• How can you access your data and change it if it is incorrect?
• Does this app have a process for collecting and responding to user complaints?
• If you no longer want to use this app, or if you no longer want this app to have access to your health information, how can you stop the app’s access to your data?
• What is the app’s policy for deleting your data once you stop access? Do you have to do more than just delete the app from your device?
• How does this app let users know of changes that could affect its privacy practices? If the app’s privacy policy does not clearly answer these questions, rethink using the app to access your health information. Health information is very sensitive. Be careful to choose apps with strong privacy and security standards.

If the app’s privacy policy does not clearly answer these questions, rethink using the app to access your health information. Health information is very sensitive. Be careful to choose apps with strong privacy and security standards.

What should a member consider if part of an enrollment group?
Some health plan members may be part of an enrollment group where they share the same health plan as other members of their tax household. This is more common with members who are covered by Qualified Health Plans (QHPs) on Federally-facilitated Exchanges (FFEs). Often, the primary policyholder and other members can access information for all members of an enrollment group unless a request is made to restrict access to member data.

Members should be told how their data will be accessed and used if they are part of an enrollment group. This access and use is based on the enrollment group policies of their health plan in the state where they live.

Members who share a tax household but who do not want to share an enrollment group have the option of enrolling each household member into separate enrollment groups. This can even be done while applying for exchange coverage and financial assistance on the same application. But, this may cause higher premiums for the household and some members. For example, dependent minors may not be able to enroll in all QHPs in a service area if using their own enrollment group. It may also cause higher total out-of-pocket expenses if each member has to meet a separate annual limit on cost-sharing, such as your out-of-pocket maximum.

• Learn more about member rights under HIPAA and who must follow HIPAA. 
• Download a HIPAA FAQ from HHS.
  

Are third-party apps covered by HIPAA?
Most third-party apps are not covered by HIPAA. Instead, these apps are often controlled by the Federal Trade Commission (FTC) and the protections of the FTC Act. The FTC Act, among other things, protects against dishonest acts. For example, it would protect against an app sharing personal data without permission, even though there is a privacy policy that says it will not do so.

• Read more from the FTC about mobile app privacy and security.
  

What should you do if you think someone has gained access to your data or an app has used your data in a way it should not have?
If you have a complaint about how Sanford Health Plan has used or disclosed your data, please contact us:

Sanford Health Plan
PO Box 91110
Sioux Falls, SD 57109-1110

Sanford Health Plan Customer Service
(800) 752-5863

• Learn more about filing a complaint with the OCR under HIPAA.
• Individuals can file a complaint with OCR using the OCR complaint portal. 
• Individuals can file a complaint with the FTC using the FTC complaint assistant.

THIS NOTICE DESCRIBES HOW HEALTH INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

This Notice of Privacy Practices (“Notice”) applies to Sanford Health Plan including Align powered by Sanford Health Plan and Great Plains Medicare Advantage. If you have questions about this Notice, please contact Customer Service at (800) 752-5863 (toll-free) | TTY/TDD 711.

This Notice describes how we will use and disclose your health information. The terms of this Notice apply to all health information generated or received by Sanford Health Plan, whether recorded in our business records, your medical record, billing invoices, paper forms, or in other ways. Unless otherwise provided by law, any data or information pertaining to the health, diagnosis, or treatment of a Member under a policy or contract, or a prospective Member, obtained by Sanford Health Plan from that person or from a health care Provider, regardless of whether the information is in the form of paper, is preserved on microfilm, or is stored in computer-retrievable form, is confidential and may not be disclosed to any person except as set forth below.

HOW WE USE AND DISCLOSE YOUR HEALTH INFORMATION

We use or disclose your health information as follows (In Minnesota we will obtain your prior consent):

• Help manage the health care treatment you receive: We can use your health information and share it with professionals who are treating you. For example, a doctor may send us information about your diagnosis and treatment plan so we can arrange additional services.
• Pay for your health services: We can use and disclose your health information as we pay for your health services. For example, we share information about you with your Primary Care Practitioner and/or Provider to coordinate payment for those services.
• For our health care operations: We may use and share your health information for our day-to-day operations, to improve our services, and contact you when necessary. For example, we use health information about you to develop better services for you. We are not allowed to use genetic information to decide whether we will give you coverage and the price of that coverage. This does not apply to long-term care plans.
• Administer your plan: We may disclose your health information to your health plan sponsor for plan administration. For example, your company contracts with us to provide a health plan, and we provide your company with certain statistics to explain the Premiums we charge.

We may share your health information in the following situations unless you tell us otherwise. If you are not able to tell us your preference, we may go ahead and share your information if we believe it is in your best interest or needed to lessen a serious and imminent threat to health or safety:

• Friends and Family: We may disclose to your family and close personal friends any health information directly related to that person’s involvement in payment for your care.
• Disaster Relief: We may disclose your health information to disaster relief organizations in an emergency.

We may also use and share your health information for other reasons without your prior consent:

• When required by law: We will share information about you if State or federal law require it, including with the Department of Health and Human services if it wants to see that we’re complying with federal privacy law.
• For public health and safety: We can share information in certain situations to help prevent disease, assist with product recalls, report adverse reactions to medications, and to prevent or reduce a serious threat to anyone’s health or safety.
• Organ and tissue donation: We can share information about you with organ procurement organizations. 
• Medical examiner or funeral director: We can share information with a coroner, medical examiner, or funeral director when an individual dies.
• Workers’ compensation and other government requests: We can share information to employers for workers’ compensation claims. Information may also be shared with health oversight agencies when authorized by law, and other special government functions such as military, national security and presidential protective services.
• Law enforcement: We may share information for law enforcement purposes. This includes sharing information to help locate a suspect, fugitive, missing person or witness.
• Lawsuits and legal actions: We may share information about you in response to a court or administrative order, or in response to a subpoena.
• Research: We can use or share your information for certain research projects that have been evaluated and approved through a process that considers a Member’s need for privacy.

We may contact you in the following situations:

• Treatment options: To provide information about treatment alternatives or other health related benefits or Sanford Health Plan services that may be of interest to you.
• Fundraising: We may contact you about fundraising activities, but you can tell us not to contact you again.

YOUR RIGHTS THAT APPLY TO YOUR HEALTH INFORMATION

When it comes to your health information, you have certain rights.

• Get a copy of your health and claims records: You can ask to see or get a paper or electronic copy of your health and claims records and other health information we have about you. We will provide a copy or summary to you usually within thirty (30) calendar days of your request. We may charge a reasonable, cost-based fee.
• Ask us to correct your health and claims records: You can ask us to correct health information that you think is incorrect or incomplete. We may deny your request, but we’ll tell you why in writing. These requests should be submitted in writing to the contact listed below.
• Request confidential communications: You can ask us to contact you in a specific way (for example, home or office phone) or to send mail to a different address. Reasonable requests will be approved. We must say “yes” if you tell us you would be in danger if we do not.
• Ask us to limit what we use or share: You can ask us to restrict how we share your health information for treatment, payment, or our operations. We are not required to agree to your request, and we may say “no” if it would affect your care. If you are not able to tell us your preference, for example if you are unconscious, we may go ahead and share your information if we believe it is in your best interest. We may also share your information when needed to lessen a serious and imminent threat to health or safety.
• Get a list of those with whom we’ve shared information: You can ask for a list (accounting) of the times we’ve shared your health information for six (6) years prior, who we’ve shared it with, and why. We will include all disclosures except for those about your treatment, payment, and our health care operations, and certain other disclosures (such as those you asked us to make). We will provide one (1) accounting a year for free, but we will charge a reasonable cost-based fee if you ask for another within twelve (12) months.
• Get a copy of this privacy notice: You can ask for a paper copy of this Notice at any time, even if you have agreed to receive it electronically. We will provide you with a paper copy promptly.
• Choose someone to act for you: If you have given someone medical power of attorney or if someone is your legal guardian, that person can exercise your rights and make choices about your health information. We will make sure the person has this authority and can act for you before we take any action.
• File a complaint if you feel your rights are violated: You can complain to the U.S. Department of Health and Human Services Office for Civil Rights if you feel we have violated your rights. We can provide you with their address. You can also file a complaint with us by using the contact information below. We will not retaliate against you for filing a complaint.

Contact Information:
Sanford Health Plan
Customer Service
PO Box 91110
Sioux Falls, SD 57109-1110
(800) 752-5863 (toll-free) | TTY/TDD 711

OUR RESPONSIBILITIES REGARDING YOUR HEALTH INFORMATION

• We are required by law to maintain the privacy and security of your health information.
• We will let you know promptly if a breach occurs that may have compromised the privacy or security of your health information. 
• We must follow the duties and privacy practices described in this Notice and offer to give you a copy.
• We will not use, share, or sell your information for marketing or any purpose other than as described in this Notice unless you tell us to in writing. You may change your mind at any time by letting us know in writing.

CHANGES TO THIS NOTICE

We may change the terms of this Notice, and the changes will apply to all information we have about you. The new Notice will be available upon request and online at www.sanfordhealthplan.com.

EFFECTIVE DATE

This Notice of Privacy Practices is effective February 1, 2022.

NOTICE OF AFFILIATED COVERED ENTITY DESIGNATION

Sanford Health Plan, Sanford Health, and The Evangelical Lutheran Good Samaritan Society, as covered entities under common ownership and control, have designated themselves and subsidiaries as a single covered entity for purposes of the Health Insurance Portability and Accountability Act (HIPAA). Sanford Health Plan shares health information about its members with the affiliated covered entity participants for treatment and other purposes as allowed by HIPAA and applicable law.