Interoperability: Application Program Interface (API) Information


Background/Overview

CMS’ Interoperability and Patient Access Final Rule (CMS-9115-F) requires us to grant you electronic access to your health history through a third-party Patient Access API app. If you choose to disclose your health data through one of these apps, the information that is available through the app will include health information we collect about you while you have been enrolled with LCI including:

  • Claims data concerning your interactions with health care providers.
  • Clinical data that we collect in the process of providing case management, care coordination, or other services to you.

Selecting an API app

It is important for you and/or your legal representative to take an active role in protecting your health information. Before you install an API app, here’s what you can do to better protect yourself:

Use official app stores.

  • To reduce the risk of installing a potentially harmful app, download the app only from official app stores, such as your device’s manufacturer or operating system app store. You may also research the developer before installing their app.

Understand what information the API app will have access to and how the information will be used.

  • Review the app’s privacy policy to understand how your data will be accessed and used or if your data will be shared.

Review the app’s permissions.

  • All apps need your permission to access your information such as location and contacts or features such as your camera and microphone. You may be asked to give permission when you download the app, or at the time the app first attempts to access this information or feature. Pay close attention to the app’s permission requests. The app may function without access to the information or feature requested.

Privacy and Security of Third-Party Apps

The CARIN Code of Conduct is a foundational set of principles for how health care organizations can share data with consumer applications, such as third-party app developers. We ask third-party app developers to attest to having certain provisions in their privacy policy and that their app follows the Carin Code of Conduct.

  • If an app developer is asked to attest and does not respond to this request or attests negatively, you will have an opportunity to change your mind about sharing your data.
    • If you do not actively respond to us within the time we have communicated to you, your data will be shared as you originally requested.

Are third-party apps covered by HIPAA?

Third-party apps or websites are not subject to HIPAA or other privacy laws, which generally protect personal health information. Most apps will instead fall under the jurisdiction of the Federal Trade Commission (FTC) and the protections provided by the FTC Act. The FTC Act, among other things, protects against deceptive acts. The FTC provides information about mobile app privacy and security for consumers here.


Third-party apps or websites should have their own privacy policies that provide self-imposed limitations on how their app or website will use, maintain, disclose, and (possibly) sell information about you.


Before you decide to access your personal health information through an API app, you should carefully review the privacy policy of the third-party app or website you are considering. Make sure you understand and feel comfortable with how the app or website will use, maintain, and/or further disclose your information. If the app or website privacy policy does not address your concerns or is not available, you may consider using a different app or website.


Privacy policies should address the following items:

  • What health data will this app collect?
  • Will this app collect non-health data from my device, such as my location?
  • Will my data be stored in a de-identified or anonymized form?
  • How will this app use my data?
  • Will this app disclose my data to third parties?
  • Will this app sell my data for any reason, such as advertising or research?
  • Will this app share my data for any reason?
    • If so, with whom? For what purpose?
  • How can I limit this app’s use and disclosure of my data?
  • What security measures does this app use to protect my data?
  • What impact could sharing my data with this app have on others, such as my family members?
  • How can I access my data and correct inaccuracies in data retrieved by this app?
  • Does this app have a process for collecting and responding to user complaints?
  • If I no longer want to use this app, or if I no longer want this app to have access to my health information, how do I terminate the app’s access to my data?
  • What is the app’s policy for deleting my data once I terminate access?
    • Do I have to do more than just delete the app from my device?
  • How does this app inform users of changes that could affect its privacy practices?
  • Does the app or website have a process for collecting and responding to user complaints?

If the app’s privacy policy does not clearly answer these questions, you should reconsider using the app to access your health information. Health information is very sensitive information, and you should be careful to choose apps with strong privacy and security standards to protect it.

Your Privacy Rights Under HIPAA

Right to Request Restrictions

  • You have the right to request restrictions on certain uses or disclosures of your medical information, including disclosures to a family member, other persons involved with your care, or with payment for your care.

Right to Request a Copy of LCI’s Privacy Notice


Right to Inspect or Receive a Copy of Your Medical Information and Claims Records

  • You have a right to review and receive a copy of your medical information and claims record. You may receive this information in paper or electronic form.

Right to Request a List of Who Your Information Has Been Shared With

  • You have a right to know who has received your medical information. You can receive a list of who received your information up to six (6) years prior to your request, except as protected by law. 

Right to Request Confidential Communication

  • You have the right to request to receive your medical information confidentially or to be contacted by other confidential means or in other confidential locations to protect your privacy.

Right to Request an Amendment to Your Record

  • You have the right to request an amendment or correction to your medical information.

Right to File a Complaint

  • You have the right to file a complaint if you feel your privacy rights have been violated. You can file a complaint with LCI, the Wisconsin Department of Health Services, and/or the Office of Civil Rights (OCR).

You can find more information about patient rights under HIPAA and who is obligated to follow HIPAA here: https://www.hhs.gov/hipaa/for-individuals/guidance-materials-forconsumers/index.html

HIPAA FAQs for Individuals: https://www.hhs.gov/hipaa/for-individuals/faq/index.html


What should I do if I think my data has been breached or an app has used my data inappropriately?

If you have a complaint about the API app that you selected and are unable to resolve the issue directly with the API app vendor, you have the right to report your concern to the Federal Trade Commission or the Department of Health and Human Services’ Office of Civil Rights. These agencies have oversight responsibility for this initiative, and they can be reached at:

U.S. Federal Trade Commission
https://reportfraud.ftc.gov/#/assistant
1-877-FTC-HELP

Office for Civil Rights
https://ocrportal.hhs.gov/ocr/smartscreen/main.jsf
1-800-368-1019

App Developers: Interoperability Guide

Explore and view FHIR API documentation, complete the Third Party Application Production API Request Form, and more: here and here.