Interoperability Information 

Interoperability and Patient Access

The world is moving toward interoperability, a.k.a. the ability of different computer systems to exchange and use information. What could this mean for you and your health? Better, more coordinated care, even when you change your doctors or insurance plans.

 

How does interoperability work?

Want easy access to share your medical records and health history? There’s (almost) an app for that! Interoperability means that, with your permission, EmblemHealth could share your health records with third-party applications (apps) to make the exchange of health information (such as claims, clinical data, and cost-sharing information) more fluid across the entire health care network – including patients, providers, and insurers. For example, a developer could create an app allowing members to share their health data with a rehabilitation center when they are transferred there from a hospital, or a technology company could create a cell phone app that would allow you to keep track of your medical expenses. These apps have NOT been developed yet, but all sorts of different ones are expected to be developed over time, and the federal government has made it a high priority for all health insurance companies to tell members about their privacy rights concerning these programs as a part of the Interoperability and Patient Access final rule.

Interoperability impacts most Medicare Advantage, Children’s Health Insurance Program (CHIP), and Medicaid members.

 

Your rights

EmblemHealth will ONLY share your electronic health data with the third-party app developer IF you ask us to.

 

Risk of sharing data

It’s important to note that if you consent to having your information shared, EmblemHealth is NOT responsible for the data once the app receives it. For example, we are not responsible for how the app uses or secures your data. You should carefully read any terms and conditions, and privacy and security notices issued by any app before allowing it to access your health data. An app developer should also disclose how it shares sensitive information in their product documentation, according to the Federal Trade Commission (FTC). 

The following FAQs can help you determine the potential risks of sharing data.

 

If I consent to sharing data, what are the terms?

Your consent will be valid for 90 days. You will need to submit a separate consent request for each app you want us to share your health data with. If you give an app access to your data, we will generally transmit all the electronic data we have that we are permitted to release by law.

For your convenience, you have the right to revoke access by an app or all apps by calling the Customer Service number on your ID card.

 

Your personal representative may act on your behalf

Your personal representative is someone who has the legal authority to act on your behalf to make health care-related decisions (such as a parent, guardian, or person with a medical power of attorney). Before sharing health data with an app, we will require current valid documentation that your personal representative is authorized to act on your behalf.

With very limited exceptions for certain minors with respect to sensitive diagnoses such as HIV, substance or alcohol use, reproductive rights, etc., we have no ability to send only a portion of the member’s data to an app.

 

What are important things you should consider before authorizing a third-party app to retrieve your health care data?

It is important for you to take an active role in protecting your health information, and you should be careful to choose apps with strong privacy and security standards. If an app does not have a privacy policy, the Centers for Medicare & Medicaid Services (CMS) advises that you not use it. The app’s privacy policy should clearly answer the below questions:

  • What health data will this app collect? Will this app collect non-health data from my device, such as my location?
  • Will my data be stored in a de-identified or anonymized form?
  • How will this app use my data?
  • Will this app disclose or sell my data to third parties?
    • Will this app sell my data for any reason, such as advertising or research?
    • Will this app share my data for any reason? If so, with whom? For what purpose?
  • How can I limit this app’s use and disclosure of my data?
  • What security measures does this app use to protect my data?
  • What impact could sharing my data with this app have on others, such as my family members?
  • How can I access my data and correct inaccuracies in data retrieved by this app?
  • Does this app have a process for collecting and responding to user complaints?
  • If I no longer want to use this app, or if I no longer want this app to have access to my health information, how do I terminate the app’s access to my data?
    • What is the app’s policy for deleting my data once I terminate access? Do I have to do more than just delete the app from my device?
  • How does this app inform users of changes that could affect its privacy practices?

If the app’s privacy policy does not clearly answer these questions, CMS says you should reconsider using the app to access your health information. Health information is very sensitive information, and you should be careful to choose apps with strong privacy and security standards to protect it.

 

What are a member’s rights under the Health Insurance Portability and Accountability Act (HIPAA) and who must follow HIPAA?

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) enforces the HIPAA Privacy, Security, and Breach Notification Rules, and the Patient Safety Act and Rule. You can find more information about patient rights under HIPAA and who is obligated to follow HIPAA here: hhs.gov/hipaa/for-individuals/guidance-materials-for-consumers/index.html

You may also want to review the HIPAA FAQs for Individuals: hhs.gov/hipaa/for-individuals/faq/index.html

 

Are third-party apps covered by HIPAA?

Most third-party apps will not be covered by HIPAA. Most third-party apps will instead fall under the jurisdiction of the FTC and the protections provided by the FTC Act. The FTC Act, among other things, protects against deceptive acts (e.g., if an app shares personal data without permission, despite having a privacy policy that says it will not do so). The FTC provides information about mobile app privacy and security for consumers here: consumer.ftc.gov/articles/0018-understanding-mobile-apps

 

What should a member do if they think their data has been breached or an app has used their data inappropriately?

You may be able to file a complaint with the OCR or FTC.

You may also file a complaint by contacting EmblemHealth Customer Service at the telephone number on the back of the member’s ID card.  

Interoperability information for app developers

App developers who want to enter the health care interoperability space need to abide by strict standards to keep members’ data private and secure. For guidelines on how to request a product subscription, access the APIs, or register an app, go to the CAQH Endpoint Directory located at https://endpointdirectory.caqh.org. Follow the directions to sign up with the directory; once signed up, you can test your app in a CAQH-provided sandbox.