What is interoperability?
Interoperability broadly concerns the ability of individuals and organizations to exchange healthcare data without undue difficulty. In support of interoperability goals, the U.S. Department of Health and Human Services (HHS) has established rules that require certain health insurance issuers to make some types of member health records available electronically via a third-party application, for example a mobile device app, upon a member's request.
Why is interoperability important?
Interoperability holds promise for improving several ways we experience healthcare today:
- It can make it easier for us as patients to access and understand information important to our health.
- It can make care delivery safer and more effective by making it more likely that healthcare providers have the most up-to-date information about the people they treat.
- It can make it easier for you to carry your health information history with you when you change employers, insurers, etc.
How can I access my health information?
Accessing your health information under CMS Interoperability and Patient Access Rules is mostly likely to happen using a mobile device app of your choosing. PacificSource currently supports access using the OneRecord mobile app and has plans to enable access via additional mobile applications in the future.
Get more detailed guidance for accessing your health information
Who owns my health data?
The Health and Human Services (HHS) Interoperability rules clearly establish that patients own their health data. Under the rules, it is unlawful for you to be denied access to your own health information.
Can anyone access my health data without my consent?
Generally speaking, no. The CMS Interoperability rules do nothing to expand access to your health information without your consent. Under existing HIPAA rules, healthcare providers and health plans may exchange your information under specific circumstances and only to the extent required to ensure that you have access to the care you need. Interoperability does not expand that access in any way.
If you choose to access your health information under the CMS Interoperability rules using a third-party tool, such as a mobile app, you will be asked to provide explicit consent to allow the app to transmit/access your health data.
What types of data are included?
The CMS Interoperability rules apply to data in the following basic areas:
- Member claims and/or explanation of benefits
- Member plan/coverage information
- Health plan formulary information
- Health plan provider information
- Member pharmacy/drug information
How much data is available?
In accordance with federal guidelines, PacificSource makes data available from the 2017 plan year to the present time.
How often is data refreshed?
PacificSource refreshes most data types covered under the CMS Interoperability rule within 24 hours.
Are there privacy risks involved?
Yes. While interoperability rules make it easier for you to access your health information, there are also new risks involved. Those risks arise because interoperability enables you to use tools other than those provided by your healthcare provider or health plan to access your data. It’s largely up to you to ensure that the tools you select to access your health information are used appropriately and are secure enough to protect your privacy.
How is my data protected?
PacificSource always closely follows federal HIPAA guidelines to ensure that your health data is protected. We use up-to-date security technology and consistently observe documented security procedures to safeguard your health data while it is in our keeping.
When your data leaves PacificSource as part of an interoperability request you make or another party makes on your behalf, it is your responsibility to ensure that your data remains protected. For example, if you use a mobile device to access your health information and leave your device unlocked, your data may be at risk of exposure. Similarly, security gaps in third-party applications you might download from an app store could pose risks that PacificSource is unable to help you with.
Under interoperability rules, third-party applications you might use to access your health information are governed by Federal Trade Commission (FTC) guidelines.
If you feel that your health information or privacy have been compromised via use of a third-party application, you may file a complaint with the FTC.
It is important that you carefully consider these risks when you choose to access your health information under the CMS interoperability rules.
What is HIPAA?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) establishes standards for using and disclosing individuals' health information (known as "protected health information" or PHI) by entities subject to the Act. These individuals and organizations are called "covered entities." HIPAA also sets forth standards for individuals' rights to understand and control how their health information is used.
What are HIPAA covered entities?
Covered entities under HIPAA include health plans, healthcare providers, and healthcare clearinghouses. HIPAA covered entities are obliged to take special precautions to protect the privacy of your health data.
Health plans include health insurance companies, health maintenance organizations, government programs that pay for healthcare (Medicare for example), and military and veterans' health programs.
HIPAA also applies to business associates of HIPAA covered entities and their subcontractors. A business associate can be an individual or company that provides services to a HIPAA covered entity, which requires them to have access to store, use, or transmit protected health information.
Generally speaking, third-party applications, such as those that are used to obtain health records under the interoperability provisions, are not considered covered entities or business associates under HIPAA.
Selecting a third-party application
It is important for you to understand that health insurance issuers like PacificSource are not responsible for the privacy or security of any protected health information (PHI) once it has been received by the third-party application that you have chosen.
When selecting a third-party application to use to access your health information, the first thing to look for is a clear, plain language privacy policy that explains how your information will be protected and how it will be used and stored once it is shared with the application.
Here are some additional considerations to bear in mind when choosing a third-party application:
- What health information will this app collect?
- Will this app collect non-health data from my device, such as my location?
- Will my information be stored in a de-identified or anonymized form?
- How will this app use my information?
- Will this app disclose my information to any third parties?
- Will this app share or sell my information for any reason, such as advertising or research? If so, with whom? For what purpose?
- How can I limit this app's use and disclosure of my information?
- What security measures does this app use to protect my information?
- What impact could sharing my information with this app have on others, such as my family members?
- How can I access my data and correct inaccuracies in data retrieved by this app?
- Does this app have a process for collecting and responding to user complaints?
- If I no longer want to use this app, or if I no longer want this app to have access to my health information, how do I terminate the app's access to my data?
- What is the app's policy for deleting my data once I terminate access? Do I have to do more than just delete the app from my device.
- How does this app inform users of changes that could affect its privacy policy?
If the app's privacy policy does not clearly answer these questions, you should reconsider using the app to access your health information.