Manage Personal Health Information

You have rights when it comes to your Protected Health Information (PHI). You can decide how your information is shared.

A Release of Information gives your health care providers and health insurance plans permission to share limited health information about you. This helps your providers and insurance plans to work together to take better care of you.

Learn more: 

You have the following rights as a member when it comes to your PHI:

Authorization to Release Physical and/or Behavioral Health Information: Substance Use Information

• English

• En español

Authorization to Release Physical and/or Behavioral Health Information (Excluding Substance Use Information)

• English

• En español

You also have the right to manage access to your PHI:

Request for Access to PHI

• English

• En español

You can also Restrict the Use and Disclosure of PHI

• English

You can also Revoke an Authorization for Release of Authorization

• English

Request for an Account of Disclosed PHI

• English

Request to Amend PHI

• English

Request to Designate a Personal Representative

• English

Request to Mail PHI to Private Address

• English

Patient Access API

The Patient Access API enables Community Care members to securely exchange their behavioral health plan information, which includes personal details like name, address, phone number, and date of birth with third party applications. This is part of a new federal requirement known as Interoperability & Patient Access.

• Information for Developers
  

Interoperability & Patient Access

1. What is Interoperability?

The term “interoperability” broadly refers to the coordinated exchange of health information. Because the Centers for Medicare & Medicaid Services issued federal rules under the title “Interoperability and Patient Access,” Interoperability (capitalized) often refers to the specific exchange of health information that is required under those rules. You should keep in mind that your access to your own information is only one part of the Interoperability rule – there are also requirements for health care provider directories and future requirements for health plans to exchange information when you change plans – so you may see the term used in other places with a slightly different meaning.

2. What part of the Interoperability rule lets members access their health information through an app?

This part of the rule is known as the Patient Access API. “API” stands for Application Programming Interface, which is a form of computer software that your health plan must set up to handle incoming requests from apps when you want to access specific information. Another part of the rule, known as the Provider Directory API, works in the same way but is designed to transmit contact and other information about Community Care’s network of health care providers.

3. Do all health plans have to set up a Patient Access API?

If you get medical coverage through Medicare Advantage, Medicaid, the Children’s Health Insurance Program (CHIP), or a Qualified Health Plan (QHP) on the Marketplace (known as Pennie in Pennsylvania), your health plan should have a Patient Access API1. Standalone Dental plans and QHP issuers in the Federally Facilitated Small Business Health Options (FF-SHOP) Marketplace may be exempt.

4. What information is available to me?

The Patient Access API provides access to medical and pharmacy claims, provider encounter (visit), cost, and specific types of clinical information that your health care providers have sent or shared with Community Care.

5. Can I control access to my information after I view it with my chosen App?

It depends. Because third-party Apps are not subject to the same privacy standards as health plans and health care providers, they may take a different approach to storing, using, and disclosing your data. They may or may not offer you specific options to control access to your information once it is in the App. You should closely review an App’s privacy practices and any information they have about access and disclosure of your information.

6. What should I consider when choosing an App?

While Community Care does not endorse any specific third-party App, there are certain things you should look for and think about when choosing any App to access your protected health information. Your best bet is to start with an App from a trustworthy source that you have confidence in. Before downloading or sharing your information with a new App, ask the following questions:

• Does the App have an easy-to-read Privacy Policy that clearly explains how the App will store and use my data?
  
  If an App doesn’t clearly explain how it will use your information, you should consider using another App.
  
  
• What health data will this App collect? Will this App also collect non-health data from my device, such as my location?
  
  Consider whether you want an App that has your health information to also know other information about you. While the App might have a reason for requesting other information, giving more of your information to be stored in one place could make it easier for someone who accesses that information to identify you or steal your identity.
  
  
• Will my data be stored in a de-identified or anonymized form?
  
  De-identified data removes details like phone numbers, medical record file numbers, and dates so that the stored information cannot be used to identify you.
  - Will this App disclose my data to third parties?
  - Will this App sell my data for any reason, such as advertising or research?
  - Will this App share my data for any reason? If so, with whom? For what purpose?
  
  
• Does this App allow me to limit its use and disclosure of my data? How?
  
  
• What security measures does this app use to protect my data?
  
  Look for Apps that explain their use of encryption (scrambled data) to prevent unauthorized users from accessing your data.
  
  
• What impact could sharing my data with this app have on others, such as my family members?
  
  
• How can I access my data and correct inaccuracies in data retrieved by this app?
  
  
• Does this app have a process for collecting and responding to user complaints?
  
  
• If I no longer want to use this app, or if I no longer want this app to have access to my health information, how do I terminate the app’s access to my data?
  - What is the app’s policy for deleting my data once I terminate access? Do I have to do more than just delete the app from my device?
  
  
• How does this app inform users of changes that could affect its privacy practices?
  

If the App’s Privacy Policy does not clearly answer these questions, you should consider other options. Health information is very sensitive and you should be careful to choose Apps with strong privacy and security standards to keep it protected.

Above all else, trust your instincts! If you get an unsolicited e-mail advertising an App, see a message from someone you don’t know asking you to try a new App, or see anything that seems “off” about an App, don’t use it!

7. What is different about a third-party App?

A third-party App is one provided by someone other than your health plan. In some cases, third-party Apps might be offered by brands that are familiar to you or they may be from a software developer you have never heard of before. While you are entitled to use the App of your choice, including a third-party App, you should carefully consider how any App will store and protect your sensitive health data. Important rights and protections under health care privacy laws like HIPAA will normally apply to an App offered by your health plan or health care provider, but generally will not apply to most third-party Apps.

8. Can Community Care help me if I have problems with a third-party App?

Unfortunately, Community Care does not have relationships with most third-party App developers and cannot provide support for problems with a third-party App.

9. Does Community Care screen third-party Apps or require App developers to attest to specific security practices?

No, because Community Care is not permitted to limit API access in this way. The Interoperability and Patient Access rule does not allow Community Care to impose unique screening criteria or standards on Apps that members have authorized to access their health information. It is true that all Apps connecting to Community Care’s APIs, including the Patient Access API, must meet minimum technical standards for information security with respect to the initial connection and access. We also encourage App developers to adhere to the CARIN Code of Conduct and Trust Framework, which were developed by health IT experts and consumer representatives to establish universal guidelines for safely and reliably sharing and protecting electronic health information. However, Community Care is not permitted to require that Apps or App developers engage in specific privacy or security practices after they have accessed your information, and we cannot limit the ways in which a third-party App stores or uses your data after it has been transmitted through the API. Most third-party Apps are also not subject to the HIPAA privacy protections that otherwise apply to the protected health information held by your health plan or health care providers.

10. How does Community Care protect my health information?

Like almost all plans and providers, Community Care is required to protect your health information under a federal law known as the Health Insurance Portability and Accountability Act (HIPAA), as well as under various state laws that include either comparable or enhanced protection. If HIPAA applies to a health plan, provider, or other entity, they are often known as “HIPAA covered” or a “HIPAA covered entity.” HIPAA requires covered entities like Community Care to protect your health information unless you ask that it be disclosed, except in certain cases where disclosing some part of your health information (usually to another covered entity like a health care provider or government agency that provides your benefits) is necessary to ensure that you receive quality treatment, to pay for care you receive, or for health plan operations that allow us to manage your plan benefits. More details about Community Care’s protection and permitted use of your health information is available in our Privacy Statement.

11. Where can I learn more about my rights under HIPAA and who HIPAA applies to?

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) enforces the HIPAA Privacy, Security, and Breach Notification Rules, and the Patient Safety Act and Rule. You can find more information about patient rights under HIPAA and who is obligated to follow HIPAA here: https://www.hhs.gov/hipaa/for-...

12. Do all Apps have to protect my health information?

Most third-party Apps are not covered by HIPAA. Most third-party Apps will instead fall under the oversight of the Federal Trade Commission (FTC). While the FTC Act includes protections against, among other things, “deceptive acts” (e.g., a third-party App sharing your information without permission after saying it won’t do so), it does not automatically include the types of comprehensive rights and privacy protections for health information that are required for HIPAA covered entities.

The FTC provides information about mobile app privacy and security for consumers here: https://www.consumer.ftc.gov/a...

13. Device Controls

You should consider limiting your use of Apps for the Patient Access API to a single, private, personal device. You should have a strong, unique password for the App and should set up Multi-Factor Authentication if possible.

14. What can I do if I think my data has been used inappropriately?

If you believe that your privacy rights have been violated, you can file a complaint. There are different options for filing your complaint depending upon who you believe violated your rights.

If your complaint involves a third-party App, you may submit a complaint to the FTC using the FTC Complaint Assistant: https://reportfraud.ftc.gov/as...

If you have a concern about Community Care and your privacy rights, you can contact our Member Services team toll-free at 1-800-553-7499 (TTY: 1-833-545-9191). If we are unable to address your privacy concerns as a current member, you may ask to file a complaint.

If you believe that your privacy rights under HIPAA have been violated, you may file a complaint with the HHS Office of Civil Rights (https://ocrportal.hhs.gov/ocr/...). To learn more about filing a complaint with OCR under HIPAA, visit: https://ocrportal.hhs.gov/ocr/...

Disclaimer: The educational information presented here is intended solely to inform consumers about the availability and use of the Patient Access API and other related APIs. This information is not intended to grant any rights or impose any obligations. The recommendations and commentary presented are designed as a helpful summary and are not a replacement for comprehensive individual review and analysis of the risks and questions presented when accessing protected health information. The descriptions of privacy rights, laws, and applicable standards are not comprehensive and are not a substitute for professional legal advice.