Sharing your personal health information with third-party applications
The Interoperability and Patient Access final rule (CMS-9115-F) lets GCHP members electronically get and share personal health information (PHI) maintained by GCHP with third-party applications (apps). GCHP is working with Edifecs to carry out the application programming interfaces (APIs) required by this final rule.
- Patient Access API: Lets third-party apps you authorize get your PHI maintained by GCHP.
- Provider Directory API: Lets third-party apps get information about GCHP’s provider network.
There can be risks to sharing your health data with third-party apps, like:
- They do not have to meet the same federal, state, and local privacy and security regulations as health plans.
- Once you approve your health data to be shared, Health Insurance Portability and Accountability Act (HIPAA) privacy and security protections do not apply.
Any recourse against the app’s developers has to be taken through the Office for Civil Rights (OCR) and the Federal Trade Commission (FTC).
To learn more on the Interoperability and Patient Access final rule, visit: https://www.cms.gov/newsroom/fact-sheets/interoperability-and-patient-access-fact-sheet.
These are the steps to create your own Interoperability member account (which is needed before connecting to third-party apps):
- To create a member account, visit: https://members.edifecsfedcloud.com/gold.coast.health.plan/#/sign-up
- Enter your member details, such as email address, and click ‘Submit.’
- You will get an activation email with a temporary password. Click the ‘Sign In’ button in the email.
- Enter your email address and temporary password on the 'Sign In' page.
- Change your temporary password to a unique password.
- Your Member Account profile should be completed and you can start passing your health care data to verified third-party apps of your choosing.
- Find your verified third-party app of choice.
- On that app’s Log In screen, enter your email address and the unique password you created when making your member account.
- When you first login to the third-party app, you will be asked to give consent to the app to receive your medical data.
- Carefully read the content pages before deciding to move on.
- If you give consent to the third-party app, your health care data will be passed to the app at the time of the login. The data will be updated each time you log in.
Before you sign up, make sure you read the information below about privacy and security.
GCHP maintains the information below. It can be electronically shared with third-party apps if you consent:
- Medical and pharmacy claims
- Clinical data, such as prescribed medications, lab results, and immunizations
- Health care providers and care team members
After signing up, carefully choose an app that is registered with GCHP’s partners, Edifecs or Council for Affordable Quality Healthcare (CAQH). Download it to your phone through your app store (e.g., Apple App Store or Google Play). After downloading the app:
- Complete the account setup process.
- Use the app's menus and prompts to connect it to your health plan.
- Give your permission to share your health information with the app.
Contact the administrators of the app and ask that they work with Edifecs or CAQH to become registered.
GCHP and Edifecs maintain a developer portal where app developers can learn more about connection to Fast Healthcare Interoperability Resources (FHIR) repositories via APIs. Developers can find more information about the Developer Portal here:
https://fdp.edifecsfedcloud.com/#/portal/gold.coast.health.plan/home
If the app’s privacy policy does not clearly answer these questions, or you don’t feel comfortable with the answers given, think about finding another one to use:
- What health data will this app collect?
- Will it collect non-health data from my device, such as my location?
- Will my data be stored in a way that doesn’t identify me?
- How will this app use my data?
- Will it share my data with third parties?
- Will it sell my data for any reason, such as advertising or research?
- Will it share my data for any reason? If so, with whom? For what purpose?
- How can I limit this app’s use and disclosure of my data?
- What security measures does the app use to protect my data?
- What impact could sharing my data with the app have on others, such as my family members?
- How can I access my data and correct inaccuracies in data retrieved by the app?
- Does the app have a process for collecting and answering user complaints?
- If I no longer want to use this app, or allow it to have access to my health information, how do I stop its access to my data?
- What is the app’s policy for deleting my data once I stop access? Do I have to do more than just delete it from my device?
- How does the app let users know of changes that could affect its privacy practices?
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) enforces the:
- Health Insurance Portability and Accountability Act (HIPAA)
- Privacy, Security, and Breach Notification Rules
- Patient Safety Act and Rule
HIPAA applies to health plans, health care providers, and related businesses.
You can learn more about patient rights under HIPAA, and who needs to follow it, here:
- https://www.hhs.gov/hipaa/for-individuals/index.html
- https://www.hhs.gov/hipaa/for-individuals/guidance-materials-forconsumers/index.html
You may also want to review the HIPAA Frequently Asked Questions (FAQs):
Most third-party apps are not covered by HIPAA. Most fall under the Federal Trade Commission (FTC) Act protections. The FTC Act protects against misleading actions (e.g., if an app shares personal data without permission, even if they have a privacy policy that says it will not do so).
To learn more about the mobile app privacy and security for consumers, click here: https://www.consumer.ftc.gov/articles/0018-understanding-mobile-apps
To learn more about filing a complaint with the OCR under HIPAA, visit:
https://www.hhs.gov/hipaa/filing-a-complaint/index.html.
You can file a complaint with the OCR here: https://ocrportal.hhs.gov/ocr/smartscreen/main.jsf.
You can file a complaint with the FTC here:
As a GCHP member, you have the right to file a complaint with our Privacy Officer. You must give us specific, written information to support your complaint. You may also file a complaint with the Secretary of Health and Human Services at https://www.hhs.gov/hipaa/filing-a-complaint/index.html.
GCHP will not retaliate against you in any way for filing a complaint. Filing a complaint will not affect the quality of health care services you receive as a member.
Reach us at:
Gold Coast Health Plan
Attn: Privacy Officer
711 E. Daily Drive, Suite 106
Camarillo, CA 93010-6082
Compliance Hotline: 1.866.672.2615, 24 hours a day, seven days a week, or TTY/TDD 711
The Office of the Ombudsman helps solve problems from a neutral standpoint and can connect you with the right person / department to help you with your problem.
Department of Health Care Services Office of the Ombudsman
1.888.452.8609
Monday through Friday, 8 a.m. to 5 p.m. (except holidays)
MMCDOmbudsmanOffice@dhcs.ca.gov