Interoperability
The Interoperability and Patient Access Rule covers what you need to know before connecting your Avera Health Plans data to a third-party application.
Avera Health Plans Patient Access API
Avera Health Plans is required to provide you with access to detailed information about your health history through a “Patient Access API.” While you are a current member, you may access this information by downloading an Application (App) of your choice on your smart phone, tablet, computer or other similar device. The information available through the Patient Access API includes your demographic information as well as your medical and pharmacy claims information while you were enrolled in our Health Plan since January 1, 2016.
If you select a third-party app to access your information, the information includes:
- Personal details such as your name, address, phone number, email, and date of birth;
- Your insurance member ID, benefit plan and enrollment status;
- Insurance payments and amounts made on your behalf;
- Claims and encounter data concerning your interactions with health care providers; and
- Clinical data that we collect in the process of providing case management, care coordination, or other services to you.
- The information we will disclose may include information about treatment for substance use disorders, mental health treatment, HIV status, or other sensitive information.
- Medication information, including but not limited to your vaccinations or immunizations.
The information listed above may directly or indirectly disclose information relating to certain sensitive services such as:
- Reproductive health, pregnancy, and contraception information
- HIV/AIDS/AIDS Related Complex
- Alcohol and substance use/abuse
- Rape, sexual assault, domestic violence or other physical abuse
- Genetic testing
- Diseases and conditions, including but not limited to sexually transmitted diseases
You have the right to share your health and insurance information with this App, but there may be risks. Avera Health Plans did not develop this App nor is it being provided by or on behalf of Avera Health Plans. Avera Health Plans bears no responsibility or liability for the security, integrity, dissemination or other usage of protected health information from Avera Health Plans transferred to the App. Avera Health Plans makes no representations or warranties of any kind or nature, direct or indirect, whether express or implied with respect to the security of the App or the unsecure transmissions of electronic Protected Health Information (ePHI) to the App. Once the App has accessed your data, it may no longer be protected by federal and state privacy laws such as the federal HIPAA laws. Once disclosed to the App, Avera Health Plans will no longer be responsible for the privacy and security of your data that is transferred to the App.
Avera Health Plans does not in any way promote, recommend, endorse one application as preferred over another. Your individual right of access allows you to request Avera Health Plans to share your ePHI to the App as a matter of convenience through what may be an unsecure channel. Avera Health Plans does not support, maintain or otherwise offer guidance on setting up the App and has no control over the content of third party applications. You are responsible to read the App’s privacy policy that describes self-imposed limitations on how the App will use, disclose, and (possibly) sell information about you. If you decide to access your information through the Patient Access API, you should carefully review the privacy policy of any App you are considering using to ensure you are comfortable with what the App will do with your health information.
Things you may wish to consider when selecting an App:
- Will this App sell my data for any reason?
- Will this App disclose my data to third parties for purposes such as research or advertising?
- How will this App use my data? For what purposes?
- Will the App allow me to limit or control how it uses, discloses, or sells my data?
- If I no longer want to use this App, or if I no longer want this App to have access to my health information, can I terminate the App’s access to my data? If so, how difficult will it be to terminate access?
- What is the App’s policy for deleting my data once I terminate access? Do I have to do more than just delete the App from my device?
- How will this App inform me of changes in its privacy practices?
- Will the App collect non-health data from my device, such as my location?
- What security measures does this App use to protect my data?
- What impact could sharing my data with this App have on others, such as my family members?
- Will the App permit me to access my data and correct inaccuracies? (Note that correcting inaccuracies in data collected by the App will not affect inaccuracies in the source of the data.)
- Does the App have a process for collecting and responding to user complaints?
If the App’s privacy policy does not satisfactorily answer these questions, you may wish to reconsider using the App to access your health information. Your health information may include very sensitive information. You should therefore be careful to choose an App with strong privacy and security standards to protect it. Any security issues, suspected or otherwise realized while using the App, should result in the user of the App terminating usage immediately, uninstalling the App from all device(s) and changing their password.
Avera Health Plans reserves the right to terminate your access to Avera Health Plans through the App if the connection to the App or device running the App presents an unacceptable level of security risk to PHI on Avera Health Plans’ systems.
Covered Entities and HIPAA Enforcement
The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) enforces the HIPAA Privacy, Security, and Breach Notification Rules. Avera Health Plans is subject to HIPAA as are most health care providers, such as hospitals, doctors, clinics, and dentists.
Apps and Privacy Enforcement
An App generally will not be subject to HIPAA. An App that publishes a privacy notice is required to comply with the terms of its notice, but generally is not subject to other privacy laws. The Federal Trade Commission Act protects against deceptive acts (such as an App that discloses personal data in violation of its privacy notice). An App that violates the terms of its privacy notice is subject to the jurisdiction of the Federal Trade Commission (FTC).
