Allowing Access to Your Private Health Information

Congress has passed a law: The CMS Interoperability and Patient Access Final Rule involving the health data for Medicare Advantage members. This law requires health insurance providers to enable you, as a Medicare Advantage member, to share your insurance records with a third party, such as an app. These insurance records may contain detailed personal information, including your health conditions, medical treatments and prescriptions you have received, and your genetic health risks.

It is important for you to understand that if you release your information to a third-party app, the app will have access to all of your health information. The app may not be subject to the HIPAA Rules and other privacy laws which generally protect your health information. If you choose to share your data with a third party through an app, Blue Cross cannot control how they will use or whether they will protect your personal health data.

What It Means to Share Your Data

If you request for Blue Cross to share your health data, everything in your private health records at Blue Cross will be available to the third party you’ve indicated. This may include highly sensitive information that could affect you and your family, such as:

  • Medications you have taken
  • Genetic conditions
  • Mental health conditions
  • Sexual health conditions

Once given access, the third party may choose how to use your information. After you share your data, Blue Cross won’t be able to prevent the third party from using it for any purpose, including sharing it with additional third parties without your knowledge or consent.

Your release of your private health information is final. If you choose to share your information, Blue Cross won’t be able to make the third party delete your information, place limits on its use, or reverse the transfer of your data, even if you change your mind.

Please think carefully before sharing your personal health information with a third party. Sometimes third parties might have written privacy policies. However, no matter what is written in these policies (even if they claim to follow industry best practices), Blue Cross cannot guarantee that third parties will abide by them. Blue Cross has no power to hold these third parties accountable for violating their own privacy policies.

How to Decide if Sharing Your Information Is Safe

Before choosing to share your health data with a third party company or app, you may want to ask yourself these questions:

  • Will they sell my data for any reason?
  • Will they share my data with other third parties for purposes such as advertising?
  • Will they collect non-health data from my device, such as my location?
  • Will there be any limits on what they can do with my data?
  • If I change my mind, can I cut off their access to my data?
  • Can I easily reach them if something goes wrong?
  • What is their policy for deleting my data after I cut off access?
  • If I delete the app or request, do they keep my data?
  • What security measures do they use to protect my data?
  • What impact could sharing my data with this company or app have on others, such as my family members?
  • How will they inform me of changes in their privacy practices?
  • How will they use my data, and for what purposes?
  • Will they allow me to access my data and correct inaccuracies?
  • Do they have a process for collecting and responding to user complaints?

Important Privacy Information

Covered Entities and HIPAA Enforcement

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) enforces the HIPAA Privacy, Security, and Breach Notification Rules. Blue Cross is subject to HIPAA as are most health care providers, such as hospitals, doctors, clinics, and dentists. You can find more information about your rights under HIPAA and who is obligated to comply with HIPAA here: https://www.hhs.gov/hipaa/for-individuals/index.html.

To learn more about filing a complaint with OCR related to HIPAA requirements, visit: https://www.hhs.gov/hipaa/filing-a-complaint/index.html. You may also file a complaint with Blue Cross by calling the number on your ID card.

Third Party Apps and Privacy Enforcement

An app not affiliated with Blue Cross Blue Shield of Massachusetts may not be subject to HIPAA. An app that publishes a privacy notice is required to comply with the terms of its notice, but generally isn’t subject to other privacy laws. The Federal Trade Commission Act protects against deceptive acts (such as an app that discloses personal data in violation of its privacy notice). An app that violates the terms of its privacy notice is subject to the jurisdiction of the Federal Trade Commission (FTC). The FTC provides information about mobile app privacy and security for consumers here: https://www.consumer.ftc.gov/articles/0018-understanding-mobile-apps.

If you believe an App inappropriately used, disclosed, or sold your information, you should contact the FTC. You may file a complaint with the FTC using the FTC complaint assistant: https://reportfraud.ftc.gov/

Developer Portal

Are you Developer? Please click here