PacificSource carefully observes Health Insurance Portability and Accountability Act (HIPAA) privacy and consent guidelines when handling your data made available as part of Health and Human Services (HHS) Interoperability rules. Safeguarding your health information and privacy is our top priority.
Unless you provide explicit consent, PacificSource will never share your health data with anyone outside of specific healthcare scenarios allowed by HIPAA guidance.
HHS Interoperability rules provide you with new ways to access your health data. Accessing your PacificSource health data using interoperability-related tools can introduce risks because you may elect to view your data using applications and other channels that fall outside of PacificSource’s control.
Most third-party applications are not covered by HIPAA. They instead fall under the jurisdiction of the Federal Trade Commission (FTC). The FTC provides information about mobile app privacy and security for consumers.
It is your responsibility to safeguard your health data and your privacy when you use tools not provided by PacificSource. To remain protected, we recommend the following:
- Understand the security and privacy practices of any applications or tools that you might use to access your health data.
- Ensure that any device you use to access your health data is secured with a passcode, biometric login, or some similar form of protection.
- Do not share your access information with any third parties.
- Carefully review and understand any consent forms that you might be asked to sign when you access your health data via another application or tool.
- Promptly report suspected compromises of your health data promptly.
Find out about our information privacy practices in our Notice of Privacy Practice.
How is my data protected?
PacificSource always closely follows federal HIPAA guidelines to ensure that your health data is protected. We use up-to-date security technology and consistently observe documented security procedures to safeguard your health data while it is in our keeping.
The HHS Office for Civil Rights (OCR) enforces the HIPAA Privacy, Security, and Breach Notification Rules, and the Patient Safety Act and Rule. Find more information about your individual rights under HIPAA at HHS.
If you feel that your rights under HIPAA Rules were violated, you may file a complaint with the OCR.
When your data leaves PacificSource as part of an interoperability request you make or another party makes on your behalf, it is your responsibility to ensure that your data remains protected. For example, if you use a mobile device to access your health information and leave your device unlocked, your data may be at risk of exposure. Similarly, security gaps in third-party applications you might download from an app store could pose risks that PacificSource cannot help you with.
Under interoperability rules, third-party applications you might use to access your health information are governed by FTC guidelines.
If you feel that your health information or privacy have been compromised via use of a third-party application, you may file a complaint with the FTC.
It is important that you carefully consider these risks when you choose to access your health information under the CMS interoperability rules.
What is HIPAA?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) establishes standards for using and disclosing individuals' health information (known as "protected health information" or PHI) by entities subject to the Act. These individuals and organizations are called "covered entities." HIPAA also sets forth standards for individuals' rights to understand and control how their health information is used.
What are HIPAA covered entities?
Covered entities under HIPAA include health plans, healthcare providers, and healthcare clearinghouses. HIPAA covered entities must take special precautions to protect the privacy of your health data.
Health plans include health insurance companies, health maintenance organizations, government programs that pay for healthcare (Medicare, for example), and military and veterans' health programs.
HIPAA also applies to business associates of HIPAA covered entities and their subcontractors. A business associate can be an individual or company that provides services to a HIPAA covered entity, which requires them to have access to store, use, or transmit protected health information.
Generally speaking, third-party applications, such as those that are used to obtain health records under the interoperability provisions, are not considered covered entities or business associates under HIPAA.