Patient Privacy and Security Resources

Supporting Payers Educating their Patients

The Centers for Medicare and Medicaid Services (CMS) released the Interoperability and Patient Access final rule on March 9, 2020. The rule deals with various aspects of providing a digital endpoint to patients by payers to access their healthcare information. Patients can use any third-party application of their choice to access claims and encounter information including cost and clinical information. With the digital accessibility to the healthcare information, its privacy and security remain a concern. The final rule requires payers to provide necessary resources to educate and aware patients regarding privacy and security measures implemented by them. To broaden the reach of digital access to patients, the rule requires most CMS-regulated payers – specifically, Medicare Advantage (MA) organizations, Medicaid Fee-For-Service (FFS) programs, CHIP FFS programs, Medicaid managed care plans, CHIP managed care entities, and Qualified Health Plan (QHP) issuers on the Federally-facilitated Exchanges (FFEs), excluding issuers offering only Stand-alone dental plans (SADPs) and QHP issuers offering coverage in the Federally-facilitated Small Business Health Options Program (FF-SHOP) - to implement and maintain a secure, standards-based Patient Access Application Programming Interface (API) (using Health Level 7® (HL7) Fast Healthcare Interoperability Resources® (FHIR) Release 4.0.1).

This document provides an overview of the information required to be in a payer’s patient resource document. Payers can refer to this document to produce resources catered to their patients’ need.

What the Rule Requires

The final rule requires payers to educate patients on how to keep their health information private and secure. The education resource should be written in non-technical, simple, and easy-to-understand language. Payers can keep them in a location that can be located easily by patients, such as public websites. The resource should provide information about the following aspects at a minimum:

  • The resource should highlight the importance of security and privacy practice in general and of any application specifically. It should also provide general information on steps patients may take to preserve privacy and maintain security of their health information, and secondary uses of data.
  • It should explain types of organizations and individuals covered by HIPAA, the oversight responsibilities of the Office for Civil Right (OCR), and the Federal Trade Commission (FTC), and the procedure to file complaint with OCR and the FTC.

The final rule also recommends payers to ask third-party app developers for attestation in their privacy policy. Payers should educate patients about the attestation requirements. Patients can restrict sharing of their data in case an app developer does not respond to an attestation request or attests negatively. On the other hand, if patients do not respond to the payer within the stipulated timeframe, the payer can share the data as per the policy.

Helpful Information for Payers Creating Educational Resources for their Patients

What are important things patients should consider before authorizing a third-party app to retrieve their health care data?

An active participation by patients in protecting their health information can help them to make better decisions in choosing an app. They should look for an easy-to-understand privacy policy from app developer. If an app does not have any privacy policy, it is advisable not to use that app. In general, a privacy policy should clearly explain the following points:

  • Data Collection Explains the type of data, health and non-health, that the app collects from patient’s device.
  • Data Encryption Mentions encryption method before storing patient’s data.
  • Data Usage Explains the usage policy of data.
  • Data Disclosure Explains the scenarios in which the app shares or disclose patient’s data to third parties. If it does, the policy should explain the purpose and the entities with whom the app will share data. It should also have information to educate patient to limit app’s use and disclosure of data.
  • Security Measures Explains the security protocols that the app uses to protect data.
  • Data Sharing Explains the impact could sharing my data with this app have on others, such as my family members.
  • Data Accessibility Educates patient on how to access their data correct inaccuracies in data retrieved by this app. In case patient does not want to use the app or does not want the app to access their data, the policy should have information on how to terminate app’s access to the data. Upon access termination, it should also explain the data purging policy.
  • Complaint Disbursal Explains the process to file complaints by patient and the process to address them by payer.
  • Update Information Explains the process to inform patients about an update in the app that could affect its privacy policy.

Patients should think twice if an app does not answer the above questions clearly. App developers should consider the confidentiality and sensitiveness involved in protecting health information of patients.

What should a patient consider if they are part of an enrollment group?

Some patients, particularly patients who are covered by Qualified Health Plans (QHPs) on the Federally-facilitated Exchanges (FFEs), may be part of an enrollment group where they share the same health plan as multiple members of their tax household. Typically, each member of an enrollment group can access each other’s information unless a request is made by a member to bar access of others to his or her data. Each state may have different policy for enrollment group plans. Patients should have information about the accessibility and usability of their data while being a member of an enrollment group. Patients sharing same tax household have the option to enroll themselves into separate enrollment groups, even while applying for Exchange coverage and financial assistance on the same application. However, this may result in higher premiums for the household and some members, (i.e., dependent minors, may not be able to enroll in all QHPs in a service area if enrolling in their own enrollment group) and in higher total out-of-pocket expenses if each member has to meet a separate annual limitation on cost sharing (i.e., Maximum Out-of-Pocket (MOOP)).

What are a patient’s rights under the Health Insurance Portability and Accountability Act (HIPAA) and who must follow HIPAA?

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) enforces the HIPAA Privacy, Security, and Breach Notification Rules, and the Patient Safety Act and Rule. You can find more information about patient rights under HIPAA and who is obligated to follow HIPAA here: https://www.hhs.gov/hipaa/for-individuals/guidance-materials-for-consumers/index.html

Please use the following link to access the list of HIPAA frequently asked questions: https://www.hhs.gov/hipaa/for-individuals/faq/index.html

Are third-party apps covered by HIPAA?

No, most third-party apps do not fall under the jurisdiction of HIPAA, instead these are regulated by the Federal Trade Commission (FTC). Health information is protected by FTC Act. The act protects patients against deceptive acts, such as app can’t share healthcare information of a patients without their consent, and can do so only as per the guidelines given in its privacy policy.

The FTC provides information about mobile app privacy and security for consumers here: https://www.consumer.ftc.gov/articles/0018-understanding-mobile-apps

What should a patient do if they think their data have been breached or an app has used their data inappropriately?

It is the responsibility of payers to educate patients to report any data breach with their internal privacy office. The information must explain the process and the point of contact to file a complaint. Additionally, payers should provide information about submitting a complaint to OCR or FTC, as appropriate.

Reference

Please use the following links to learn more about the topic:

To learn more about filing a complaint with OCR under HIPAA https://www.hhs.gov/hipaa/filing-a-complaint/index.html
Individuals can file a complaint with OCR using the OCR complaint portal https://ocrportal.hhs.gov/ocr/smartscreen/main.jsf
Individuals can file a complaint with the FTC using the FTC complaint assistant https://www.ftccomplaintassistant.gov/#crnt&panel1-1