Skip to main content Skip to secondary navigation

Improved site navigation is coming soon. Thank you to everyone who participated in our user tests! 

HIPAA Notice of Privacy Practices

Main content start

This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please read it carefully.


Our Pledge to Protect Your Privacy

Stanford University (the “Employer” for purposes of this Notice) is committed to protecting the privacy of your health information. Health information that identifies you (“protected health information,” or “health information”) includes your medical record and other information relating to your care or payment for care that is held by the Stanford University Educated Choices Flexible Benefits Plan (the “Plan”).

We are required by law to:

  • Make sure that your health information is kept private (with certain exceptions);
  • Give you this Notice of our legal duties, as plan sponsor of the Plan, and privacy practices with respect to health information about you; and
  • Follow the terms of the Notice currently in effect.

It’s important to note that these rules apply to the Plan, not to Stanford University as the Employer. If you are covered by an insured plan option under the Plan, you will also receive a notice directly from the insurer. Your personal doctor or health care provider may have different policies or notices regarding their use and disclosure of your medical information.

Who Will Follow This Notice

The following parties share the Employer's commitment to protect your privacy and will comply with this Notice:

  • Members of the Employer’s workforce who may have access to individually identifiable health information of Plan participants (1) on behalf of the Plan itself; or (2) on behalf of the Employer, for administrative functions of the Plan.
    • These employees of the Employer have access to individually identifiable health information: “Associate Vice President,” “Benefits Director,” “Benefits Manager,” “Benefits Analysts,” “Benefits Specialists,” “Benefits Associates” and “Customer Service Front Line Employees” who perform functions directly on behalf of the Plan and who have access to individually identifiable health information on behalf of the Employer for its use in “plan administrative functions.”
  • Business associates (outside vendors who perform services for the Plan) who have access to certain health information for the purposes of conducting business operations, payment of medical, dental and vision benefits or for use in “plan administrative functions.”

How We May Use and Disclose Medical Information About You

The following sections describe different ways that we use and disclose your health information:

For Treatment

The Plan may use and disclose health information about you in the provision and coordination of health care. For example, we may share information to process your claims or review the quality of health care you receive, or the Plan may share health information about you with physicians who are treating you. 

For Payment

We may use and disclose medical information about you to bill and receive payment for the treatment and services you receive. For example, the Plan may use or disclose information to make determinations about eligibility for insurance coverage, coordination of benefits with other insurance coverage, to perform claims management and collection activities, to review the medical necessity or the appropriateness of the care you received, and to conduct utilization reviews such as pre-authorizations, or reviews of services.  For certain services, if your permission is needed to release health information to obtain payment, you will be asked for permission. The Plan may not use genetic information to decide whether coverage will be available to you or the price of that coverage.

For Health Care Operations

We may use and disclose protected health information about you to conduct normal business functions. For example, we may use or disclose information in order to enroll you in a health program, evaluate the performance of the staff in managing and providing you with your health benefits, to contract for reinsurance or investigate the validity of benefit claims. In addition, the Plan may share your health information with another company that performs certain services, such as billing or compiling information to help the Plan determine how the Plan is doing relative to other health plans.

Business Associates

The Plan contracts with outside companies that perform business services for us, such as billing companies, management consultants, quality assurance reviewers, accountants or attorneys. In certain circumstances, we may need to share your medical information with a business associate so it can perform a service on our behalf. The Plan will limit the disclosure of your information to a business associate to the amount of information that is the “minimum necessary” for the company to perform services for the Plan. In addition, we will have a written contract in place with the business associate requiring protection of the privacy and security of your health information.

Health-Related Benefits and Services

We may use and disclose medical information to tell you about health-related benefits or services that may be of interest to you.


The Plan may disclose certain of your health information to the Employer. Upon a request from the Employer, the Plan may disclose health information about you to enable the Employer to obtain premium bids from health plans that might provide health insurance coverage under the group health plan, or to modify, amend, or terminate the Plan; however, the information the Plan discloses will not include any information that identifies you other than your zip code.

The Plan may also disclose to the Employer information on whether you are participating in, enrolled in, or disenrolled from the Plan. The Plan also may disclose health information about you, including information that identifies you, only if it is necessary for the Employer to administer the Plan.

For example, the Employer may need such information to process health benefits claims, to audit or monitor the business operations of the Plan, or to ensure that the Plan is operating effectively and efficiently.

The Plan, however, will restrict the Employer’s uses of your information to purposes related only to Plan administration. The Plan prohibits the Employer from using your information for uses unrelated to Plan administration. Under no circumstances will the Plan disclose your health information to the Employer for the purpose of employment-related actions or decisions (e.g. for employment termination) or for the purpose of administering any other plan that the Employer may offer.

Individuals Involved in Care

We may release health information about you to a family member or friend who is involved in your medical care. We may also give information to someone who helps pay for your care. Unless there is a specific written request from you, we may also notify a family member, personal representative or another person responsible for your care about your location and general condition. In addition, we may disclose health information about you to an organization assisting in a disaster relief effort (such as the Red Cross) so that your family can be notified about your condition, status and location.

To Prevent a Serious Threat to Health or Safety

We may use and disclose certain information about you when necessary to prevent a serious threat to your health and safety or the health and safety of others.  However, any such disclosure will only be to someone able to prevent or respond to the threat, such as law enforcement, or a potential victim. For example, we may disclose your protected health information in a proceeding regarding the licensure of a physician.

Special Situations That Do Not Require Your Authorization

Workers’ Compensation

We may release health information about you for workers' compensation or similar programs.  These programs provide benefits for work-related injuries or illness.

Public Health Activities

We may disclose health information about you for public health activities. These activities include, but are not limited to the following:

  • To prevent or control disease, injury or disability;
  • To report births and deaths;
  • To report the abuse or neglect of children, elders and dependent adults;
  • To report reactions to medications or problems with products;
  • To notify you of the recall of products you may be using;
  • To notify a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition;
  • To notify the appropriate government authority if we believe you have been the victim of abuse, neglect or domestic violence; we will only make this disclosure when required or authorized by law;

Health Oversight Activities

We may disclose health information to a health oversight agency, such as the California Department of Public Health or the Center for Medicare and Medicaid Services, for activities authorized by law.  These oversight activities include audits, investigations, inspections, and licensure. These activities are necessary for the government to monitor the health care system, government programs, and compliance with civil rights laws.

Lawsuits and Disputes

If you are involved in a lawsuit or a dispute, we may disclose health information about you in response to a court or administrative order. We may also disclose health information about you in response to a subpoena, legally enforceable discovery request, or other lawful process by someone else involved in the dispute.

Law Enforcement 

We may release health information at the request of law enforcement officials in limited circumstances, for example:

  • In response to a court order, subpoena, warrant, summons or similar process;
  • To identify or locate a suspect, fugitive, material witness, or missing person;
  • About the victim of a crime if, under certain limited circumstances, the victim is unable to consent;
  • About a death we believe may be the result of criminal conduct; and
  • In emergency circumstances to report a crime; the location of the crime or victims; or the identity,description or location of the person who committed the crime.

Coroners Medical Examiners and Funeral Directors 

We may release health information to a coroner or medical examiner. This may be necessary to identify a deceased person or determine the cause of death. We may also release health information to funeral directors as necessary to carry out their duties with respect to the deceased.

Organ and Tissue Donation

We may release health information to organizations that handle organ, eye, or tissue procurement or transplantation, as necessary to facilitate organ or tissue donation. The procurement or transplantation organization needs your authorization for any actual donations. 

Military and Veterans

If you are a member of the armed forces, we may release health information about you as required by military command authorities. We may also release health information about foreign military personnel to the appropriate foreign military authority.

National Security and Intelligence Activities

Upon receipt of a request, we may release health information to authorized federal officials for intelligence, counterintelligence, and other national security activities authorized by law. We will only provide this information after the Privacy Officer has validated the request and reviewed and approved our response.


If you are an inmate of a correctional institution or under the custody of a law enforcement official, we may release health information about you to the relevant correctional institution or law enforcement official. This release may be necessary for the institution to provide you with health care; to protect your health and safety or the health and safety of others; or for the safety and security of the correctional institution.


We may disclose health information about you for research purposes, subject to approval by institutional or private policy review boards, and subject to certain assurances and representations by researchers regarding the necessity of using your health information and treatment of the information during a research project.

Other Uses or Disclosure Required by Law

We may also use or disclose health information about you when required to do so by federal, state or local laws not specifically mentioned in this Notice.  For example, we may disclose health information as part of a lawful request in a government investigation.

Situations That Require Your Authorization

For uses and disclosures not generally described above, we must obtain your authorization. For example, the following uses and disclosures will be made only with your authorization:

  • Uses and disclosures for marketing purposes;
  • Uses and disclosures that constitute the sale of protected health information;
  • Most uses and disclosures of psychotherapy notes; and
  • Other uses and disclosures not described in this Notice

If you provide us authorization to use or disclose health information about you, you may revoke that authorization, in writing, at any time. If you revoke your authorization, we will no longer use or disclose health information about you for the activities covered by the authorization, except if we have already acted in reliance on your permission. We are unable to take back any disclosures we have already made with your authorization, and we are required to retain records of health information.

Your Rights Regarding Medical Information About You

You have the following rights regarding health information we maintain about you:

Right to Inspect and Copy

You have the right to inspect and obtain a paper or electronic copy of health information that the Plan uses to make decisions about you and your coverage, subject to certain limited exceptions. Usually, this includes medical and billing records, but may not include some mental health information. We reserve the right to charge a fee to cover the cost of providing your health information records to you, and will usually provide you with a copy or summary within 30 days of your request. If you have questions about protected health information through an entity such as a health care provider, you will need to contact that entity or provider.

Right to Amend

If you believe that health information the Plan has on file about you is incorrect or incomplete, you may ask us to amend the health information. To request an amendment you must file an appropriate written request. In addition, you must provide a reason that supports your request. The Employer can only amend information that we created or that was created on our behalf. If your health information is accurate and complete, or if the information was not created by the Employer, we may deny your request to amend. If we deny your request, we will reply to you in writing, within 60 days, with our reasons for doing so.

Even if we deny your request to amend, you have the right to submit a written addendum to the Plan. Addendums may not exceed 250 words for each item or statement in your record you believe is incomplete or incorrect.

Right to an Accounting of Disclosure

You have the right to request an "accounting of disclosures" which is a list describing how we have shared your health information with outside parties. This accounting is a list of the disclosures we made of your health information for purposes other than treatment, payment, health care operations, and certain other purposes consistent with law. You may request an accounting of disclosures for up to six years before the date of your request. If you request an accounting more than once during a twelve month period, we will charge you a reasonable fee.

Right to Request Restriction

You have the right to request restrictions on certain uses or disclosures of your health information. For example, you may request that the Plan not make disclosures to family members. Requests for restrictions must be in writing. In most cases, we are not required to agree to your requested restriction. However, if we do agree, we will comply with your request unless the information is needed to provide you emergency treatment or comply with the law. If we do not agree to your request, we will reply to you in writing with the reason.

A restriction may later be terminated by your written request, by agreement between you and the Plan, for health information created or received after you are notified that the Plan has removed the restrictions.

Right to Request Confidential Communications

You have the right to request that we communicate with you about your health information or medical matters in a certain way or at a certain location. For example, you can ask that we only contact you at work, rather than at your home. We will not ask you the reason for your request. We will work to accommodate all reasonable requests, and will say “yes” if you tell us you would be in danger if we do not accommodate the request. Your request must be in writing and specify how and where you wish to be contacted.

Right to a Personal Representative

“You” in this Notice means a Plan participant or, if applicable, the participant’s personal representative. A personal representative is any person authorized to act on behalf of the participant with respect to his/her health care. For example, a personal representative may include the parent or guardian of a minor (unless the minor has the authority under California law to act on his/her own behalf), the guardian or conservator of the participant, or the person authorized to act on behalf of a deceased participant.  A request to appoint a personal representative must be made in writing.

Right to be Notified of a Breach

The Employer is committed to safeguarding your health information and proactively works to prevent health information breaches from occurring. If a breach of unsecured health information occurs, we will notify you in accordance with applicable state and federal laws.

Right to a Copy of This Notice Upon Request

You have the right to a copy of this Notice. You may view and print a copy of this notice by going to the Cardinal at Work Benefits & Rewards website.  You may also request a copy of this notice to be mailed to you at any time by calling the University HR Service Team at 650-736-2985 or 877-905-2985.

Request for Copy of Health Information

To obtain more information about how to request a copy of your health information, receive an accounting of disclosures, amend or add an addendum to your health information, please contact:

University HR Service Team

877-905-2985 or 650-736-2985

Forms are also available by phone from the University HR Service Team. You may send completed forms to Stanford Benefits at:

  • Fax:
    (866) 539-0431
  • Mail:

    Stanford Benefits

    P.O. Box 3190

    Bellaire, TX 77402 


If you believe your privacy rights have been violated, you may file a complaint with the Plan.

  • By phone:

    University HR Service Team

    877-905-2985 or 650-736-2985

  • By mail:
    Group Health Plan (GHP) Privacy Officer Benefits Manager
    Stanford University
    505 Broadway, 5th Floor
    Redwood City, CA 94063

You may also file a written complaint with the Director, Office for Civil Rights of the U.S. Department of Health and Human Services by mailing a letter to 200 Independence Avenue, SW, Washington, D.C. 20201, calling 877-696-6775, or visiting We will not retaliate against you for filing a complaint with us or the director.

Changes to This Notice

We reserve the right to change our privacy practices and update this Notice accordingly. We reserve the right to make the revised or changed Notice effective for health information we already have about you as well as any information we receive in the future.  If the Notice is changed, we will post the new Notice and provide a copy to you. The Notice contains the effective date at the top of this page.

Questions About Our Privacy Practices

The Employer values the privacy of your health information as an important part of the care we provide to you. If you have questions about this Notice or the Employer’s privacy practices, please contact the Plan as follows:

  • By phone:
    University HR Service Team
    877-905-2985 or 650-736-2985
  • By mail:
    Group Health Plan (GHP) Privacy Officer Benefits Manager
    Stanford University
    505 Broadway, 5th Floor
    Redwood City, CA 94063