Using a Third-Party App to Access your Health Data

The Interoperability and Patient Access final rule (CMS-9115-F) put patients first by giving them access to their health information when they need it most, and in a way they can best use it. 

About Interoperability

This final rule focused on allowing patients to access their health information by making patient data available by using CMS authority to regulate Medicare Advantage (MA), Medicaid, Children's Health Insurance Program (CHIP), and Qualified Health Plan (QHP) issuers on the Federally-Facilitated Exchanges (FFEs).

By visiting the National Archives and Records Administration website, you can see the Interoperability and Patient access final rule.

What to Consider Before Allowing Access to Your Healthcare Data

Before allowing access to your health data through the Application Programming Interface consider the below questions. These questions are meant to help you make an informed decision with your health data when referencing a app and their privacy policy.

  • What health data will this app collect? Will this app collect non-health data from my device, such as my location?
  • Will my data be stored in a de-identified or anonymized form?
  • How will this app use my data?
  • Will this app disclose my data to third parties?
    • Will this app sell my data for any reason, such as advertising or research?
    • Will this app share my data for any reason? If so, with whom? For what purpose?
  • How can I limit this app’s use and disclosure of my data?
  • What security measures does this app use to protect my data?
  • What impact could sharing my data with this app have on others, such as my family members?
  • How can I access my data and correct inaccuracies in data retrieved by this app?
  • Does this app have a process for collecting and responding to user complaints?
  • If I no longer want to use this app, or if I no longer want this app to have access to my health information, how do I terminate the app’s access to my data?
    • What is the app’s policy for deleting my data once I terminate access? Do I have to do more than just delete the app from my device?
  • How does this app inform users of changes that could affect its privacy practices?

If the app’s privacy policy does not clearly answer these questions, patients should reconsider using the app to access their health information. Health information is very sensitive information, and patients should be careful to choose apps with strong privacy and security standards to protect it. 

Other Topics Participants Should Consider When Selecting a 3rd Party App
  • What type of enrollment group are you in?
    • Your enrollment group could determine if the policy holder will have access to your health information.
  • Understand your rights under the Health Insurance Portability and Accountability Act (HIPAA) and who must follow HIPAA.
    • By visiting HHS.gov you can find more information regarding health information privacy HIPAA FAQs.
  • 3rd party apps will not be covered by HIPAA. Most fall under Federal Trade Commission (FTC) for enforcement. More information can be found on the FTC website.
  • The process for filing a complaint if you believe your data has been breached or used inappropriately.
List of 3rd Party App

A complete list of accepted applications can be found on CARIN app developers website.