Protecting Your Healthcare Data

The 21st Century Cures Act and MyHealthEData, an initiative of the Centers for Medicare & Medicaid Services (CMS), give patients the right to access and manage their healthcare data electronically. As a result of the Cures Act, you will have the ability to access your healthcare data using a third-party application, or “app.” Your healthcare data includes sensitive information. For example, it could include test results, diagnoses, surgical reports, prescription information, and claims information. When providing access to your healthcare data, you are the first line of defense to protect who sees or has access to it.  Some apps will offer more privacy and security than others will. When choosing an app, you should look for an easy-to-read privacy policy that clearly explains how the app will use your data. If an app does not have a privacy policy, or you do not like or understand how the app will use your information, you should not use that app.

Questions to ask before using a third-party app

When deciding if you want to use a third-party app, you should think about these questions.

Protecting your privacy

  1. What health data will this app collect?
  2. What permissions must I give or what passwords must be shared with the app in order to pull my health data from a provider?
  3. Can this app collect non-health data from my device without my knowledge?
  4. Does this app have the right to share or sell my information to another company? And if so, are there limitations to the data that they can disclose?
  5. Is there a way to limit or restrict what data the app can use and share?
  6. Can I turn off Locations Services for the app?

Safeguarding your data

  1. Will my data be stored in a manner that keeps me anonymous?
  2. How will the app secure and protect my data?
  3. Can sharing my data with the app impact others, such as family members?

Communicating between the app and user

  1. How does this app inform users of changes that affect its privacy practices?
  2. How do I access my data and what is the process to correct incorrect data that is retrieved by the app?
  3. Does this app have a process for collecting and responding to user complaints, concerns, or technical questions? Is there a dedicated customer service email and/or phone number?

Deleting the app

  1. What is the app’s policy for deleting my data once I turn off access? Do I have to do more than just delete the app from my device?
  2. Will the company that owns the app keep the data it collects on me even after I delete the app and if so, for how long?
  3. What is the process to revoke my permission for this app company to access my health data?

Using a third-party app allows you to pull all of your health data into one place. This may allow you to share the information with family, caregivers, and healthcare providers. You could be able to access data to answer a question during a doctor visit or review notes from a recent surgery to discuss with a family member. However, if you are authorizing a third-party app to receive your health information, you will need to take an active role in protecting that information. The decision to use a third-party app and the choice of which app to use is entirely up to you. 

What is HIPAA?

The regulations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) protect the privacy and security of your individually identifiable health information when it is held by certain entities. It also establishes individual rights with respect to health information. The HIPAA Privacy Rule provides you a legal right to see and receive copies of your medical records from your healthcare providers and health plans. You also get to decide if you want to allow someone else, like another doctor or family member, to see or receive your health information. Under HIPAA, you also have the right to request to amend the information.

If you suspect your rights under HIPAA have been violated, you have the right to file a complaint with the Office for Civil Rights (OCR).

For informative videos on HIPAA and your rights, visit healthit.gov/access.

What entities are covered under HIPAA?

The following explanation on entities is taken from the HHS.gov website.

Organizations that must follow HIPAA regulations are called “covered entities.”

Covered entities include:

  • Health Plans, including health insurance companies, HMOs, company health plans, and certain government programs that pay for healthcare, such as Medicare and Medicaid.
  • Most Healthcare Providers—those that conduct certain business electronically—including most doctors, clinics, hospitals, psychologists, chiropractors, nursing homes, pharmacies, and dentists.
  • Healthcare Clearinghouses—entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.

In addition, business associates of covered entities must follow parts of the HIPAA regulations. These would include contractors, subcontractors, and other outside persons and companies that are not employees of a covered entity, but which will need to have access to your health information in order to provide services to the covered entity. For example, these companies might provide billing, document storage, or accounting services.

What entities are not required to follow HIPAA regulations?

Many organizations that have health information about you do not have to follow HIPAA. Examples of these types of organizations include: 

  • Life insurers
  • Employers
  • Workers’ compensation carriers
  • Most schools and school districts
  • Many state agencies like child protective service agencies
  • Most law enforcement agencies
  • Many municipal offices

Do third-party apps have to follow HIPAA regulations?

Once you request a third-party app to download your medical data from a covered entity, such as name of health plan, that data is unlikely to be subject to HIPAA privacy protections. If you have a concern or complaint about a third-party app, you should file that complaint with the Federal Trade Commission (FTC) who can assess whether the app has violated the FTC Act. The FTC Act, among other things, protects against deceptive actions (e.g., if an app shares personal data in a way that violates its privacy policy).

How do I register a HIPAA privacy complaint?

If you believe a relevant entity has violated your rights under HIPAA, you may file a complaint with the Office for Civil Rights (OCR). The OCR has responsibility for enforcing the HIPAA Privacy, Security, and Breach Notification Rules, and the Patient Safety Act and Rule.

Your complaint must:

  • be filed in writing by mail, fax, e-mail, or via the OCR Complaint Portal
  • name the healthcare or social service provider involved
  • describe the acts or omissions you believe violated civil rights laws or regulations
  • be filed within 180 days of when you knew that the act or omission complained of occurred
  • OCR may extend the 180-day period if you can show “good cause”

During the COVID-19 pandemic, the OCR is strongly encouraging use of its OCR Complaint Portal for faster response times. However, if you prefer to correspond by email, fax, or mail, you can find addresses, instructions, and an optional complaint form at HIPAA Complaint Process | HHS.gov.

How do I register a complaint about a third-party app not subject to HIPAA, if I think they have used my information inappropriately?

Most third-party apps will fall under the jurisdiction of the Federal Trade Commission (FTC) and the protections provided by the FTC Act. The FTC Act protects against certain unfair and misleading acts by businesses x. If you have a complaint, you can file online at ReportFraud.ftc.gov or call 1-877-FTC-HELP.

What are the privacy policies of my health plan?

For Virginia Premier privacy policies, visit our Notice of Privacy Practices page. These policies apply to data that is controlled by the health plan, but will not cover data in the hands of third-party apps as a result of your request or authorization.