What is Centers for Medicare & Medicaid Services’s Patient Access Rule?

The Interoperability and Patient Access Rule calls on Medicare, Medicaid and CHIP health plans, as well as those sold on the federal exchanges, to grant electronic access to patient claims data. The Rule puts patients first, giving them access to their health information when they need it most and in a way they can best use it.

This rule is part of the cross-agency MyHealth eData initiative started in 2018 to facilitate data-sharing across public payers and provider organizations.

Who is it for?

Users of Medicare Advantage (MA) plans, state Medicaid programs both fee-for service (FFS) and managed care, Children’s Health Insurance Plans (CHIP) including FFS and managed care, and Qualified Health Insurance Plan (QHP) in the health insurance exchanges established by the Affordable Care Act (ACA).

How will it work?

Last year, CMS established an “open” Application Programming Interface (API) for developers to create apps that can help beneficiaries access their data and to help health care systems exchange information in an interoperable format. This “Blue Button 2.0 API” is similar to an app store for a smart phone except it is designed for health care systems instead. Openly-published APIs are accessible to third-party applications and developers. CMS says that over 1,500 developers are building apps with various purposes within this API.

The CMS and ONC proposed rules would require Medicare Advantage (MA) organizations, state Medicaid and CHIP FFS programs, Medicaid managed care plans, CHIP managed care entities, and health insurers issuing plans on the Federal Health Insurance Exchange to implement an API using the HL7 Fast Health Care Interoperability Resources (FHIR) programming standard. The Administration is not proposing to require state CHIP programs that do not operate a FFS program to establish an API.

What do you need to do?

Learn about how you can prepare yourself

Stay informed about ways to ensure the apps protect your privacy.

Select the app of your choice once available in accordance with the security and privacy guidelines.

Why is CMS doing it? / Why is it important?

To promote interoperability and patient empowerment.

CMS describes the intent of the API, “Consumers routinely perform many daily tasks on their mobile phones – banking, shopping, paying bills, scheduling – using secure applications. We believe that obtaining their health information should be just as easy, convenient, and user-friendly.”

The interoperability rules call for healthcare organizations to give patients better access to their personal health data and clearer information about cost, empowering them to make informed decisions about what care they receive and where.

With secure, standards-based application programming interface (API) requirements, you could have access to and control over your health information, through whatever device or app you choose. The goal is to foster choice and competition in health care.

App Developers API Support

Guidance for Developers-MercyCare Interoperability API’s

Protecting Your Health Information

What information should I consider before authorizing a third-party app to access my health care data?

When choosing an app look for a privacy policy that explains how your health information will be used.  If an app does not have a privacy policy, do not use the app. 

Your health information is sensitive.  Be careful to choose an app with a strong privacy and security standards to protect it.  When choosing an app, you should consider:

What health data will the app collect?  Will the app collect non-health data from my device, such as my location?

Will my data be stored in a de-identified or anonymized form?

How will this app use my data?

Will the app disclose my data to third parties? 

Will the app sell my data for any reason, such as advertising or research?

Will the app share my data for any reason? If so, with whom? For what purpose?

How can I limit the app’s use and disclosure of my data?

What security measures does the app use to protect my data?

What impact could sharing my data with the app have on others, such as my family members?

How can I access my data and correct inaccuracies in data retrieved by the app?

Does the app have a process for collecting and responding to user complaints?

If I no longer want to use this app, or if I no longer want the app to have access to my health information, how do I terminate the app’s access to my data?

What is the app’s policy for deleting my data once I terminate access? Do I have to do more than just delete the app from my device?

How does the app inform users of changes that could affect its privacy practices?

If the app’s privacy policy does not clearly answer these questions you should reconsider using the app to access your health information. 

What should I consider if I am part of an enrollment group?

Some individuals, particularly individuals who are covered by Qualified Health Plans (QHPs) on the Federally-facilitated Exchanges (FFEs), may be part of an enrollment group where they share the same health plan as multiple members of their tax household. Often, the primary policy holder and other members, can access information for all members of an enrollment group unless a specific request is made to restrict access to member data. You will use your MyChart account to give permission to the app you have chosen to access your health plan information.  If you have proxy access set up in MyChart, others in your family may be able to access your information as well.  If you do not want others to access your information, you will need to change the settings in your MyChart account.

What are my rights under the Health Insurance Portability and Accountability Act (HIPAA) and who must follow HIPAA?

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) enforces the HIPAA Privacy, Security, and Breach Notification Rules, and the Patient Safety Act and Rule. You can find more information about patient rights under HIPAA and who is obligated to follow HIPAA at: https://www.hhs.gov/hipaa/for-individuals/guidance-materials-for-consumers/index.html.

You can also find the HIPAA FAQs for Individuals at: https://www.hhs.gov/hipaa/for-individuals/faq/index.html.

Are third-party apps covered by HIPAA?

Most third-party apps will not be covered by HIPAA. Most third-party apps will instead fall under the jurisdiction of the Federal Trade Commission (FTC) and the protections provided by the FTC Act. The FTC Act, among other things, protects against deceptive acts (e.g., if an app shares personal data without permission, despite having a privacy policy that says it will not do so).

The FTC provides information about mobile app privacy and security for consumers at: https://www.consumer.ftc.gov/articles/0018-understanding-mobile-apps.

What should I do if I think my health data have been breached or an app has used my data inappropriately?

To file a complaint with MeryCare’s internal privacy office: 

Reports can be made by:

  • Calling the Compliance Hotline at (877) 647-6464 (By using this number, you can make an anonymous report as it is an outside service and no caller ID is used. You do not have to give your name.)
  • Accessing the Compliance Hotline online at mercyhealthhotline.com

To learn more about filing a complaint with OCR under HIPAA, visit: https://www.hhs.gov/hipaa/filing-a-complaint/index.html.

You may file a complaint with OCR using the OCR complaint portal:

https://ocrportal.hhs.gov/ocr/smartscreen/main.jsf

https://www.ftccomplaintassistant.gov/#crnt&panel1-1