In 2020, the Centers for Medicare & Medicaid Services (CMS) introduced the Interoperability and Patient Access rule (CMS-9115-F). This rule simplifies how you can access and share your health data. For instance, you can use a smartphone app to view details about claims, medications, and more, depending on your insurance plan.

Third-Party Apps (apps that are not owned by Community First) can begin accessing health data starting from 2016, based on when you joined your current plan. Sharing data among you, your healthcare providers, and apps facilitates better coordination and could potentially enhance your care and reduce healthcare costs.

Sharing Member Data – Benefits and Risks

Third-Party Applications (applications not owned by Community First) can access PHI data compliant with the new CMS requirements for all plans carried by Community First, allowing members to share data with their healthcare providers, facilitating better coordination of the Member’s care and potentially enhancing the member’s health and reducing healthcare costs.

Please note that a variety of applications are offered by 3rd parties, most of the applications will allow the Member to aggregate their data from multiple health systems to create a complete 360-degree record of the members health care episodes with different Providers.

Members who share their data have experienced benefits of better visibility into their health and wellbeing and allowed them to improve both their health and the quality of care rendered from the health care systems.

Understanding Your Application and HIPAA Privacy

Community First security and risk management policies require extensive safeguards to protect Community First’s member data; data shared through integrations require authentication of the requesting party to verify their identity. Please note that once the members data is shared with a 3rd party application, Community First is no longer responsible for the security of that data. This is why it is important to read the privacy and security policies presented by any 3rd party application, to ensure an understanding of how the 3rd party will protect and leverage the data once it’s in their possession.

Considering a Third-Party App?

Community First Members need to actively protect their health information by carefully selecting third-party apps that handle their data responsibly. To make informed decisions, patients should look for apps with clear, easy-to-read privacy policies outlining how their data will be used. If an app lacks a privacy policy, it’s best to avoid it. Patients should consider the following questions when evaluating an app:

• How can I limit the app’s use and disclosure of my data?
• What security measures does the app employ to protect my data?
• Could sharing my data with the app affect others, such as family members?
• How can I access and correct any inaccuracies in the data held by the app?
• Does the app have a process for handling user complaints?
• If I decide to stop using the app or revoke its access to my data, how do I do that?
• How does the app notify users about changes to its privacy practices?

Privacy Protections

The Health Insurance Portability and Accountability Act (HIPAA) is a federal privacy law that protects health information. It limits how it is stored and shared. It protects information in apps that are from health plans or health care providers.

Most third-party apps will not be covered by HIPAA. Most third-party apps will instead fall under the jurisdiction of the Federal Trade Commission (FTC) and the protections provided by the FTC Act. The FTC Act, among other things, protects against deceptive acts (e.g., if an app shares personal data without permission, despite having a privacy policy that says it will not do so).

The FTC provides information about mobile app privacy and security for consumers here: https://consumer.ftc.gov/articles/how-protect-your-privacy-apps

HIPAA Rules on Covered Entities

As a health plan, Community First is a Covered Entity as defined by Health and Human Services and must protect Member’s information as required under HIPAA requirements. Covered entities are defined under the HIPAA rules as, Health Care Providers that transmit any PHI data in an electronic form in connection with a transaction for which HHS has adopted a standard.

This includes, Health insurance companies, HMOs, Company health plans, Government programs that pay for health care, such as Medicare, Medicaid, and the military and veterans’ health care programs.

Some organizations such as workers’ compensation carriers, most schools and school districts, state agencies, law enforcement agencies, life insurers, employers and many municipal entities, that have health information do not have to follow the Privacy and Security Rules.

The FTC Health Breach Notification Rule requires all 3rd Party applications that are available for integration with the FHIR APIs and don’t fall under Covered Entities to notify their customers, the FTC, and, in some cases, the media, if there’s a breach of unsecured, individually identifiable health information.

The U.S. Department of Health and Human Services (HHS) OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, and the Patient Safety Act and Rule. Please follow the link for more information about patient rights under HIPAA and parties obligated to follow HIPAA guidelines.

https://www.hhs.gov/hipaa/for-individuals/guidance-materials-for-consumers/index.html