What is required by CMS?

The March 2020 final CMS Patient Access API / Interoperability rule requires MA plans and QHP Exchange issuers to:

Provide in an easily accessible location on its public website and through other appropriate mechanisms through which it ordinarily communicates with current and former enrollees seeking to access their health information held by the MA organization, educational resources in non-technical, simple and easy-to understand language explaining at a minimum:

(1) General information on steps the individual may consider taking to help protect the privacy and security of their health information including factors to consider in selecting an application including secondary uses of data, and the importance of understanding the security and privacy practices of any application to which they will entrust their health information; and

(2) An overview of which types of organizations or individuals are and are not likely to be HIPAA covered entities, the oversight responsibilities of the Office for Civil Rights (OCR) and the Federal Trade Commission (FTC), and how to submit a complaint to:

  • The HHS Office for Civil Rights (OCR) and
  • The Federal Trade Commission (FTC)

Notice the phrase “Provide in an easily accessible location on its public website and through other appropriate mechanisms through which it ordinarily communicates with current and former enrollees.” This is an interpretive part of the rule, alluding that plans consider making this above information available in member mailings, and in call center communications.

CMS has also issued sub-regulatory guidance with specifics on the content plans may provide on websites to advise members on selecting a third party application, which is listed below and can be found here.

In this advice, CMS suggests that plans provide members the following type of guidance on their selection of third party apps and the release of their health information:

It is important for patients to take an active role in protecting their health information. Helping patients know what to look for when choosing an app can help patients make more informed decisions. Patients should look for an easy-to-read privacy policy that clearly explains how the app will use their data. If an app does not have a privacy policy, patients should be advised not to use the app. Patients should consider:

  • What health data will this app collect? Will this app collect non-health data from my device, such as my location?
  • Will my data be stored in a de-identified or anonymized form?
  • How will this app use my data?
  • Will this app disclose my data to third parties?
  • Will this app sell my data for any reason, such as advertising or research?
  • Will this app share my data for any reason? If so, with whom? For what purpose?
  • How can I limit this app’s use and disclosure of my data?
  • What security measures does this app use to protect my data?
  • What impact could sharing my data with this app have on others, such as my family members?
  • How can I access my data and correct inaccuracies in data retrieved by this app?
  • Does this app have a process for collecting and responding to user complaints? If I no longer want to use this app, or if I no longer want this app to have access to my health information, how do I terminate the app’s access to my data?
  • What is the app’s policy for deleting my data once I terminate access? Do I have to do more than just delete the app from my device?
  • How does this app inform users of changes that could affect its privacy practices?

If the app’s privacy policy does not clearly answer these questions, patients should reconsider using the app to access their health information. Health information is very sensitive information, and patients should be careful to choose apps with strong privacy and security standards to protect it.

Additional steps plans can take

If plans wish to go beyond minimal CMS rule requirements, the Interoperability and Patient Access final regulation encourages plans to ask third-party app developers (which their members intend to use) to attest to having certain provisions in their privacy, security and use of data policies.

This attestation could include a privacy policy, written in plain language, affirmatively shared with the patient prior to the patient authorizing app access to their PHI. App’s privacy policy includes the following information:

  • How a patient’s PHI may be accessed, exchanged, or used by any person or other entity, including whether the PHI may be shared or sold at any time (including in the future)
  • A requirement for express consent from a patient before PHI is accessed, exchanged, or used, including receiving express consent before a patient’s PHI is shared or sold (other than disclosures required by law or disclosures necessary in connection with the sale of the application or a similar transaction)
  • If an app will access any other information from a patient’s device
  • How a patient can discontinue app access to their data and what the app’s policy and process is for disposing of a patient’s data once the patient has withdrawn consent

Apps can agree, revise or rejection this attestation. Plans can share each apps attestation decisions with their members, with warnings on non-complying apps, and explanation that they have an opportunity to select which app to use, and to change their mind about using the app. If member goes ahead with an app that revises or rejects the plan attestation, the plan must still provide the app API access, but the member has been warned.

This list of apps that attest to plan privacy, security and use of data policies could be listed on plan‘s website, in member mailings and available on scripts for call center representatives.


Important Information for Developers

Complete API information