What is required by CMS?
The March 2020 final CMS Patient Access API / Interoperability rule requires MA plans and QHP Exchange issuers to:
Provide in an easily accessible location on its public website and through other appropriate mechanisms through which it ordinarily communicates with current and former enrollees seeking to access their health information held by the MA organization, educational resources in non-technical, simple and easy-to understand language explaining at a minimum:
(1) General information on steps the individual may consider taking to help protect the privacy and security of their health information including factors to consider in selecting an application including secondary uses of data, and the importance of understanding the security and privacy practices of any application to which they will entrust their health information; and
(2) An overview of which types of organizations or individuals are and are not likely to be HIPAA covered entities, the oversight responsibilities of the Office for Civil Rights (OCR) and the Federal Trade Commission (FTC), and how to submit a complaint to:
Notice the phrase “Provide in an easily accessible location on its public website and through other appropriate mechanisms through which it ordinarily communicates with current and former enrollees”. This is an interpretive part of the rule, alluding that plans consider making this above information available in member mailings, and in call center communications.
CMS has also issued sub-regulatory guidance with specifics on the content plans may provide on websites to advise members on selecting a third party application, which is listed below an can be found at: https://www.cms.gov/files/document/patient-privacy-and-security-resources.pdf
In this advice, CMS suggests that plans provide members the following type of guidance on their selection of third party apps and the release of their health information:
It is important for patients to take an active role in protecting their health information. Helping patients know what to look for when choosing an app can help patients make more informed decisions. Patients should look for an easy-to-read privacy policy that clearly explains how the app will use their data. If an app does not have a privacy policy, patients should be advised not to use the app. Patients should consider:
If the app’s privacy policy does not clearly answer these questions, patients should reconsider using the app to access their health information. Health information is very sensitive information, and patients should be careful to choose apps with strong privacy and security standards to protect it.
Additional steps can plans take
If plans wish to go beyond minimal CMS rule requirements, the Interoperability and Patient Access final regulation encourages plans to ask third-party app developers (which their members intend to use) to attest to having certain provisions in their privacy, security and use of data policies.
This attestation could include a privacy policy, written in plain language, affirmatively shared with the patient prior to the patient authorizing app access to their PHI. App’s privacy policy includes the following information:
Apps can agree, revise or rejection this attestation. Plans can share each apps attestation decisions with their members, with warnings on non-complying apps, and explanation that they have an opportunity to select which app to use, and to change their mind about using the app. If member goes ahead with an app that revises or rejects the plan attestation, the plan must still provide the app API access, but the member has been warned.
This list of apps that attest to plan privacy, security and use of data policies could be listed on plan‘s website, in member mailings and available on scripts for call center representatives.