Interoperability and Sharing Your Health Data

Interoperability means that all digital health data is formatted in the same way. Then, it can be easily shared across consumers, healthcare providers and health plans. It also means data can be shared using different devices. Devices could include: smart phone, tablet, laptop or desktop computer. But, to share this data, a member needs to download an app from a third-party.

Centers for Medicare & Medicaid Services (CMS) established these rules (CMS-9115-F). Health plans are required to follow these rules starting on July 1, 2021.

No, using these apps is voluntary.

Things you should consider:

• What health data will this app collect?
• Will this app collect non-health data from my device, such as my location?
• Will my data be stored in a de-identified or anonymized form?
• How will this app use my data?
• Will this app disclose my data to third parties?
• Will this app sell my data for any reason, such as advertising or research?
• Will this app share my data for any reason? If so, with whom? For what purpose?
• How can I limit this apps use and disclosure of my data?
• What security measures does this app use to protect my data?
• What impact could sharing my data with this app have on others, such as my family members?
• How can I access my data and correct inaccuracies in data retrieved by this app?
• Does this app have a process for collecting and responding to user complaints?
• If I no longer want to use this app, or if I no longer want this app to have access to my health info, how do I terminate the app’s access to my data?
• What is the app's policy for deleting my data once I terminate access? Do I have to do more than just delete the app from my device?
• How does this app inform users of changes that could affect its privacy practices?

If the app's privacy policy does not answer these questions, you may not want to use the app to access your health info. 

Most third-party apps will not be covered by HIPAA. Most third-party apps will instead fall under the jurisdiction of the Federal Trade Commission (FTC) and the protections provided by the FTC Act. The FTC Act, among other things, protects against deceptive acts. For example, if an app shares personal data without permission, despite having a privacy policy that says it will not do so.

The FTC provides information about mobile app privacy and security.

If you have a privacy or security concern related to Paramount, please call the Compliance Hotline at 800-533-1000. You can choose to remain anonymous.

If you believe that a HIPAA-covered entity or its business associate violated your (or someone else's) health info privacy rights or committed another violation of the Privacy, Security, or Breach Notification Rules, you may file a complaint with the Office for Civil Rights (OCR). OCR can investigate complaints against covered entities (health plans, healthcare clearinghouses, or healthcare providers that conduct certain transactions electronically) and their business associates.

You can file a complaint with the OCR using the OCR complaint portal.

Because most third-party apps are NOT considered HIPAA-covered entities or business associates of HIPAA-covered entities, any complaints against the third-party app would not be covered under the Privacy and Security Rules of HIPAA and will fall under the jurisdiction of the Federal Trade Commission (FTC).

You can file a complaint with the FTC here.

You can also visit the Department of Health and Human Services website for FAQs on HIPAA for Individuals.

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) enforces the HIPAA Privacy, Security, and Breach Notification Rules, and the Patient Safety Act and Rule. Learn more about patient rights under HIPAA and who is obligated to follow HIPAA.