Data Sharing & Interoperability

Select Health is leading the healthcare industry in finding ways to provide you with digital access to your healthcare data. You bank online, shop online, and can get a degree online, so we believe it’s time that you’re at the center of your own care and can digitally obtain a complete view of your health information.

Select Health believes you own and should have access to your healthcare information, and should be able to:

  • Easily retrieve all healthcare data that is meaningful or actionable and share that information securely with whom you choose.
  • Be able to use an application (App) or device to access your healthcare data to better understand, analyze, track and manage your healthcare needs.

What Is Interoperability?

Interoperability is the ability for electronic systems to be able to communicate and exchange data in the same way, which will make it easier for App developers to create connections to Select Health and your health data. Interoperability empowers members, which leads to better health, improved affordability and stronger communities.

The Centers for Medicare & Medicaid Services put forth new rules that create a more consistent framework for interoperability and shifted responsibility of your health care data to you as the member and owner of that data. Part of these changes include a simplified and consistent mechanism for Apps to be able to ask you to allow their App to access your data.

This shift in responsibility for protecting your data means that you as the member have more control over who can access your health care data and you have more responsibility to protect your health care data. Select Health believes it’s important to provide you with educational resources concerning the privacy and security of your protected health information in the context of disclosures of your information to third-party Apps.

Select Health Patient Access API

Select Health is required to provide a “Patient Access API.” This provides a simple way for Apps to access your data when you allow them to do so. No App can access your data through the “Patient Access API” without you providing explicit permission. The value of the “Patient Access API” is that it makes it much cheaper and easier for Apps to be developed that can access your data when you allow them to.

You can take advantage of these capabilities by downloading an App on your smart phone, tablet, computer or other similar device and checking to see if they have created a connection to Select Health. If they have then you can authorize the App to access your health data. The information available through the Patient Access API includes information we collect about you while you have been enrolled in certain lines of business since January 1, 2016.

The information includes the following information for as long as we maintain it in our records:

  • Claims and “encounter” data* concerning your interactions with health care providers; and
  • Clinical data that we collect in the process of providing case management, care coordination, or other services to you.

* “Encounter” data is information about office visits and other interactions with providers that are paid for under a monthly (or annual) fee that Select Health pays a provider for furnishing care to members. This type of payment arrangement is referred to as a “capitation arrangement.”

The information we will disclose may include information about treatment for Substance Use Disorders, mental health treatment, HIV status, or other sensitive information.

What Are My Responsibilities with Interoperability?

It is important for you to understand that the App you select will have access to ALL of your information. The App is NOT subject to the Health Insurance Portability and Accountability Act (HIPAA) Rules and other privacy laws, which generally protect your health information. Instead, the App’s privacy policy describes self-imposed limitations on how the App will use, disclose, and (possibly) sell information about you. If you decide to access your information through the Patient Access API, you should carefully review the privacy policy of any App you are considering using to ensure you are comfortable with what the App will do with your information.

Centers for Medicare & Medicaid Services rules on interoperability limit what health insurance companies can do to stop Apps from asking you to access your health data. What Select Health can do under the rules is ask the App to promise that they will have a privacy policy and follow good practices on protecting your data. This process of asking the App about this is called “Attestation.”. An App developer may simply not respond to our request or may indicate that they do not follow the best practices that we’ve outlined. If such an App asks for access to your data you will receive a warning message that looks like this:

Important Recommendation

Things You May Wish to Consider When Selecting an App

  • Will this App SELL my data for any reason?
  • Will this App DISCLOSE my data to third parties for purposes such as research or advertising?
  • How will this App USE my data? For what purposes?
  • Will the App allow me to limit how it uses, discloses, or sells my data?
  • If I no longer want to use this App, or if I no longer want this App to have access to my health information, can I terminate the App’s access to my data? If so, how difficult will it be to terminate access?
  • What is the App’s policy for DELETING my data once I terminate access? Do I have to do more than just delete the App from my device?
  • How will this App inform me of changes in its privacy practices?
  • Will the App collect non-health data from my device, such as my location?
  • What security measures does this App use to protect my data?
  • What impact could sharing my data with this App have on others, such as my family members?
  • Will the App permit me to access my data and correct inaccuracies? (Note that correcting inaccuracies in data collected by the App will not affect inaccuracies in the source of the data.)
  • Does the App have a process for collecting and responding to user complaints?

If the App’s privacy policy does not satisfactorily answer these questions, you may wish to reconsider using the App to access your health information. Your health information may include very sensitive information. You should therefore be careful to choose an App with strong privacy and security standards to protect it.

Covered Entities and HIPAA Enforcement

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) enforces the HIPAA Privacy, Security, and Breach Notification Rules. Select Health is subject to HIPAA as are most health care providers, such as hospitals, doctors, clinics, and dentists. You can find more information about your rights under HIPAA and who is obligated to comply with HIPAA here: https://www.hhs.gov/hipaa/for-individuals/index.html. To learn more about filing a complaint with OCR related to HIPAA requirements, visit: https://www.hhs.gov/hipaa/filing-a-complaint/index.html. You may also file a complaint with Select Health by contacting Member Services at 800-538-5038.

Apps and Privacy Enforcement

An App generally WILL NOT be subject to HIPAA. An App that publishes a privacy notice is required to comply with the terms of its notice, but generally is not subject to other privacy laws. The Federal Trade Commission Act protects against deceptive acts (such as an App that discloses personal data in violation of its privacy notice). An App that violates the terms of its privacy notice is subject to the jurisdiction of the Federal Trade Commission (FTC). The FTC provides information about mobile App privacy and security for consumers here: https://www.consumer.ftc.gov/articles/0018-understanding-mobile-apps. If you believe an App inappropriately used, disclosed, or sold your information, you should contact the FTC. You may file a complaint with the FTC using the FTC complaint assistant: https://reportfraud.ftc.gov/#/.

Citations

  1. Medicare Advantage organizations: 42 C.F.R. § 422.119(g)
  2. Medicaid MCOs: 42 C.F.R. § 438.242(b)(5) (by reference to 42 C.F.R. § 431.60(f))
  3. CHIP MCOs: 42 C.F.R. § 457.1233(d)(2) (by reference to 42 C.F.R. § 457.730(f))
  4. QHP Issuers on FFEs: 45 C.F.R. § 156.221(g)