Skip Ribbon Commands
Skip to main content
InteroperabilityMember

Members Protect your Privacy and Security on Mobile APPs with the Interoperability Rule

Exclamation What are important things members should consider before authorizing a third-party app to retrieve their health care data?

It is important for members to take an active role in protecting their health information. Helping members know what to look for when choosing an app can help members make more informed decisions. Members should look for an easy-to-read privacy policy that clearly explains how the app will use their data. If an app does not have a privacy policy, members should not use the app.

Members should consider:

  1. What health data will this app collect? Will this app collect non-health data from my device, such as my location?
  2. Will my data be stored in a de-identified or anonymized form?
  3. How will this app use my data?
  4. Will this app disclose my data to third parties?
    • Will this app sell my data for any reason, such as advertising or research?
    • Will this app share my data for any reason? If so, with whom? For what purpose?
  5. How can I limit this app’s use and disclosure of my data?
  6. What security measures does this app use to protect my data?
  7. What impact could sharing my data with this app have on others, such as my family members?
  8. How can I access my data and correct inaccuracies in data retrieved by this app?
  9. Does this app have a process for collecting and responding to user complaints?
  10. If I no longer want to use this app, or if I no longer want this app to have access to my health information, how do I terminate the app’s access to my data?
    • What is the app’s policy for deleting my data once I terminate access?
    • Do I have to do more than just delete the app from my device?
  11. How does this app inform users of changes that could affect its privacy practices?
If the app’s privacy policy does not clearly answer these questions, members should reconsider using the app to access their health information. Health information is very sensitive information, and patients should be careful to choose apps with strong privacy and security standards to protect it.

Exclamation What should a member consider if they are part of an enrollment group?

Some members, particularly those who are covered by Qualified Health Plans (QHPs) on the Federally-facilitated Exchanges (FFEs), may be part of an enrollment group where they share the same health plan as multiple members of their tax household.

Often, the primary policy holder and other members, can access information for all members of an enrollment group unless a specific request is made to restrict access to member data.

Patients should be informed about how their data will be accessed and used if they are part of an enrollment group based on the enrollment group policies of their specific health plan in their specific state.

Patients who share a tax household but who do not want to share an enrollment group have the option of enrolling individual household members into separate enrollment groups, even while applying for Exchange coverage and financial assistance on the same application. However, this may result in higher premiums for the household and some members, (i.e. dependent minors, may not be able to enroll in all QHPs in a service area if enrolling in their own enrollment group) and in higher total out-of-pocket expenses if each member has to meet a separate annual limitation on cost sharing (i.e., Maximum Out-of-Pocket or MOOP).

Exclamation What are a member rights under the Health Insurance Portability and Accountability Act (HIPAA) and who must follow HIPAA?

For information about our procedures for complaints submission, please see our Notice of Privacy Practices: https://mcsclassicare.com/en/Pages/privacy-notice.aspx

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) enforces the HIPAA Privacy, Security, and Breach Notification Rules, and the Patient Safety Act and Rule. You can find more information about patient rights under HIPAA and who is obligated to follow HIPAA here: https://www.hhs.gov/hipaa/for-individuals/guidance-materials-for-consumers/index.html

You may also find additional information in the HIPAA FAQs for Individuals: https://www.hhs.gov/hipaa/for-individuals/faq/index.html

Exclamation Are third-party apps covered by HIPAA?

Most third-party apps will not be covered by HIPAA. Most third-party apps will instead fall under the jurisdiction of the Federal Trade Commission (FTC) and the protections provided by the FTC Act.

The FTC Act, among other things, protects against deceptive acts (e.g., if an app shares personal data without permission, despite having a privacy policy that says it will not do so).

The FTC provides information about mobile app privacy and security for consumers here: https://www.consumer.ftc.gov/articles/0018-understanding-mobile-apps

Exclamation What are Covered Entitied under HIPAA?

HIPAA, or the Health Insurance Portability and Accountability Act of 1996, covers both individuals and organizations. Those who must comply with HIPAA are often called HIPAA covered entities.

HIPAA covered entities include:

  1. Health plans, such as Health insurance companies, HMOs, or health maintenance organizations, Employer-sponsored health plans and Government programs that pay for health care, like Medicare, Medicaid, and military and veterans’ health programs.
  2. Clearinghouses, which include organizations that process nonstandard health information to conform to standards for data content or format, or vice versa, on behalf of other organizations.
  3. Certain health care providers who submit HIPAA transactions, like claims, electronically are covered. These providers include, but are not limited to doctors, clinics, dentists and others.
  4. Business Associates of a covered entity that help to carry out its health care activities and functions.
Exclamation What should an member do if they think their data have been breached or an app has used their data inappropriately?

The member has the right to file a complaint with MCS, if you believe that your privacy rights have been violated. All complaints must: (1) be submitted in writing; (2) include the name of the covered entity that is the subject of the complaint; (3) describe the acts or omissions believed to be in violation of the standards, and (4) be filed within 180 days of when the complainant knew or should have known that the act or omission complained of occurred.

You may also file a civil rights complaint with the U.S. Department of Health and Human Services (DHHS) Office for Civil Rights (OCR) electronically through the OCR complaint portal, available at https://hhs.gov/ocr/portal/lobby.jsf, or by mail at the following address or by telephone at the following numbers: U.S. Department of Health and Human Services, 200 Independence Avenue, SW, Room 509F, HHH Building, Washington, D.C. 20201, 1-800-368-1019, 800-537-7697 (TDD). Claim forms may be obtained from the website at http://www.hhs.gov/ocr/office/file/index.html.

No penalty or retaliation will be taken against you for filing a complaint with the Secretary of DHHS or with MCS.

You must submit the complaint to MCS at the following postal mail address or email address:


MCS
Attention: Privacy Officer
Box 9023547 San Juan, PR 00902-3547
mcscompliance@medicalcardsystem.com

To learn more about filing a complaint with OCR under HIPAA; visit:
https://www.hhs.gov/hipaa/filing-a-complaint/index.html

Individuals can file a complaint with OCR using the OCR complaint portal:
https://ocrportal.hhs.gov/ocr/smartscreen/main.jsf

Individuals can file a complaint with the FTC using the FTC complaint assistant::
https://reportfraud.ftc.gov/#/

Social