Hey Health Plan, I Want _______ App to Have My Health Data!

By Sheila Spence and Nickeyea Wilkinson

On March 9, 2020, the U.S. Department of Health and Human Services (HHS) finalized two rules (now released for publication in the Federal Register, as of April 21, 2020) intended to give patients additional access to their health data. The rules, issued by the Centers for Medicare & Medicaid Services (CMS) and the Office of the National Coordinator for Health Information Technology (ONC), implement interoperability and patient access provisions of the 21st Century Cures Act as well as the Administration’s MyHealthEData initiative.[1] The heart of CMS’ rule is to support data flowing freely and securely between payers, providers, and patients, and to truly achieve coordinated care, improved health outcomes, and reduced costs.[2]

This rule finalizes new policies that give patients access to their health information and moves the healthcare system toward greater interoperability. These new policies include:[3]

  • Patient Access API (applicable January 1, 2021)
  • Provider Directory API (applicable January 1, 2021)
  • Payer-to-Payer Data Exchange (applicable January 1, 2022)
  • Improving the Dually Eligible Experience by Increasing the Frequency of Federal-State Data Exchanges (applicable April 1, 2022)
  • Public Reporting and Information Blocking (applicable late 2020)
  • Digital Contact Information (applicable late 2020)
  • Admission, Discharge, and Transfer Event Notifications (applicable fall 2020)

Rather than focus on the rule in its entirety, we would like to highlight some privacy and data security concerns under Patient Access API that immediately stand out.

Under the new interoperability rules, Medicare Advantage (MA), Medicaid, Children’s Health Insurance Program (CHIP) health plans, and plans sold on Affordable Care Act exchanges will be required to make patient requested data available to third party software applications of the patient’s choice unless a security analysis determines the app poses a security risk to protected health information in transit or in the plan’s network.[4]

So, what can payers and patients do to protect patient data? As part of this final rule, a payer may ask third party application developers to attest that they have informed members that: 1) they have an easy to read privacy policy and 2) they contain certain privacy provisions, such as (i) whether their privacy policy specifies secondary data uses, like how a patient’s health information may be accessed, exchanged, or used by any person or other entity, including whether it may be shared or sold at any time; (ii) how a patient can discontinue app access to their data; and (iii) what the process is for disposing of a patient’s data once the patient has withdrawn consent.[5]

Payers may also provide information to educate its members about sharing their health information with third parties, and the role of federal partners like the Office of Civil Rights (OCR) and the Federal Trade Commission (FTC) in protecting their rights and how to file complaints if their information has been breached by the third party apps.[6] As COVID-19 continues to overwhelm the health care system, it is likely that health IT developers and health plans may struggle to meet the proposed compliance deadlines.

View the final rule here.

[1] America’s Health Insurance Plans. Summary of Interoperability Final Rules. Accessed March 10, 2020.

[2]  CMS Newsroom. Interoperability and Patient Access Fact Sheet. Accessed March 9, 2020. https://www.cms.gov/newsroom/fact-sheets/interoperability-and-patient-access-fact-sheet

[3] CMS-9115-F. CMS Interoperability and Patient Access Final Rule. https://www.cms.gov/Regulations-and-Guidance/Guidance/Interoperability/index

[4] Id.

[5] Id.

[6] Id.