Interoperability Website Resources

The Centers for Medicare and Medicaid Services (CMS) established the Interoperability and Patient Access final rule in March 2020. This rule applies to Harvard Pilgrim Medicare Advantage and New Hampshire Exchange members. The rule requires applicable issuers to make certain patient data available via an API, or application programming interface. Medicare Advantage members may also access formulary and provider directory information. Current Medicare Advantage members, as well as Exchange members in NH will be able to connect to Harvard Pilgrim’s API to access their data via their preferred third-party application beginning on July 1, 2021.

Harvard Pilgrim recognizes an eligible member’s right to share their information with the third-party app of their choice but advises that there may be risks to doing so. Eligible members should review the application or website’s privacy policy and terms and conditions to fully understand how their information will be safeguarded, used and disclosed.

What are important things individuals should consider before authorizing a third-party app to retrieve their health care data?

• Individuals should look for an easy-to-read privacy policy that clearly explains how the app will use their data. If an app does not have a privacy policy, individuals may not want to use the app. Individuals should consider the following questions when reviewing privacy policies. If the app’s privacy policy does not clearly answer these questions, individuals may want to reconsider using the app to access their health information. 

  • What health data will this app collect? Will this app collect non-health data from my device, such as my location?

  • Will my data be stored in a de-identified or anonymized form?

  • How will this app use my data?

  • Will this app disclose my data to third parties?

  • Will this app sell my data for any reason, such as advertising or research?

  • Will this app share my data for any reason? If so, with whom? For what purpose?

  • How can I limit this app’s use and disclosure of my data?

  • What security measures does this app use to protect my data?

  • What impact could sharing my data with this app have on others, such as my family members?

  • How can I access my data and correct inaccuracies in data retrieved by this app?

  • Does this app have a process for collecting and responding to user complaints?

  • If I no longer want to use this app, or if I no longer want this app to have access to my health information, how do I terminate the app’s access to my data?

  • What is the app’s policy for deleting my data once I terminate access? Do I have to do more than just delete the app from my device?

  • How does this app inform users of changes that could affect its privacy practices?

If the app’s privacy policy does not clearly answer these questions, individuals may want to reconsider using the app to access their health information. Health information is very sensitive, and individuals should be careful to choose apps with strong privacy and security standards to protect it.

What should an individual know if they are enrolled on a family policy?

Parents enrolled on a family plan may allow an app to access health information for themselves and any of their dependent minors ages 0-12. (Note that restrictions may apply in some cases.) Individuals age 13 and older must grant the app access to their health information themselves.

Can personal representatives allow an app to access health information for a member?

Harvard Pilgrim recognizes a person with legal authority to act on behalf of an individual in making decisions related to health care (e.g. health care proxy, power of attorney, conservator, legal guardian, etc.) as their Personal Representative. If you are the Personal Representative of a member, and have not already done so, please complete and submit the Personal Representative form with your legal documentation in order to be documented in Harvard Pilgrim’s system.

If you are already documented in Harvard Pilgrim’s system as a Personal Representative, you can:

• Create an online account to allow an app to access the member’s health information.
• Log in.
• Complete the “Forgot your username or password” steps. 

Can I request clinical information from my previous plan be sent to Harvard Pilgrim?

Yes.  If you’re a current Harvard Pilgrim member or personal representative for one, you can request that a payer that previously provided coverage to you during the past five years send Harvard Pilgrim patient data. This information will be included if you connect to Harvard Pilgrim’s Patient Access API to access data via your preferred third-party applications. Begin the process to request information (login required)

What are an individual’s rights under the Health Insurance Portability and Accountability Act (HIPAA), and who must follow HIPAA?

• The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) enforces the HIPAA Privacy, Security and Breach Notification Rules, and the Patient Safety Act and Rule.
• You can find more information about individual rights under HIPAA and who is required to follow HIPAA here: www.hhs.gov/hipaa/for-individuals/guidance-materials-for-consumers/index.html.
• HIPAA FAQs for Individuals: www.hhs.gov/hipaa/for-individuals/faq/index.html.

Are third-party apps covered by HIPAA?

• Most third-party apps will not be covered by HIPAA. Most third-party apps will instead fall under the jurisdiction of the Federal Trade Commission (FTC) and the protections provided by the FTC Act. The FTC Act, among other things, protects against deceptive acts (e.g., if an app shares personal data without permission, despite having a privacy policy that says it will not do so).
• The FTC provides information about mobile app privacy and security for consumers here: www.consumer.ftc.gov/articles/0018-understanding-mobile-apps.

What should an individual do if they think the privacy or security of their data has been breached by a third party app or an app has used their data inappropriately? 

• To learn more about filing a complaint with OCR related to a violation under HIPAA, visit: www.hhs.gov/hipaa/filing-a-complaint/index.html.
• To file a complaint with the FTC using the FTC complaint assistant, visit: https://reportfraud.ftc.gov/#/.​

Accompanying technical documentation:

API syntax, function names, required and optional parameters supported and their data types, return variables and their types/structures, exceptions and exception handling methods and their returns:

• https://1up.health/docs/api/rest-api-reference
• https://1up.health/docs/api/auth

The software components and configurations an application must use in order to successfully interact with the API and process its response(s):

• https://1up.health/docs/start/cms-patient-access-rule-for-developers/getting-started-with-cms-r4-apis#testing-with-demo-health-plan-sandbox-env

Applicable technical requirements and attributes necessary for an application to be registered with any authorization server(s) deployed in conjunction with the API:

• https://1up.health/docs/start/cms-patient-access-rule-for-developers/cms-production-access