Third-Party Apps FAQ
FAQ Content
What is Interoperability and what does it mean for members?
Interoperability is the ability for third-party applications (apps), to be able to communicate and exchange data to make it easier for consumers to access their health care data. The overall goal is to improve consumer access to their health information. This regulation requires that health plan providers enable patients through independent third-party apps on computers, tablets, smart phones, and other mobile devices, and with the members authorization, to access their health information maintained by BCBSWY.
How can a member access their health information through a third-party app?
A member must have an active Portal Account and be enrolled in a Marketplace plan. To create a Portal Account, register here.
Note: After July 1, 2021 third-party app developers will start to share their available apps in device stores.
How many years of health information can/will be shared with a third-party app?
Depending on the timing of the member’s enrollment in a Marketplace plan, BCBSWY will provide claims and clinical data with an effective date on or after January 1, 2016.
What is clinical data?
Clinical data is a collection of data related to patient diagnosis, demographics, exposures, laboratory tests, and family relationships. The only clinical data that will be available to a third-party app will be stored data fields such as height, weight, lab results, etc.
What should a member consider before using a third-party app?
Please be advised that BCBSWY does not monitor or control how a particular app can use or disclose your data. Things you may wish to consider when selecting an app:
- Will this app sell my data for any reason? Will this app disclose my data to third parties for purposes such as research or advertising?
- How will this app use my data? For what purposes?
- Will the app allow me to limit how it uses, discloses, or sells my data?
- If I no longer want to use this app, or if I no longer want this app to have access to my health information, can I terminate the app’s access to my data? If so, how difficult will it be to terminate access?
- What is the app’s policy for deleting my data once I terminate access? Do I have to do more than just delete the app from my device?
- How will this app inform me of changes in its privacy practices?
- Will the app collect non-health data from my device, such as my location?
- What security measures does this app use to protect my data?
- What impact could sharing my data with this app have on others, such as my family members?
- Will the app permit me to access my data and correct inaccuracies? (Note that correcting inaccuracies in data collected by the app should be done at the source of the data and not within the app.)
- Does the app have a process for collecting and responding to user complaints?
If the app’s privacy policy does not satisfactorily answer these questions, you may wish to reconsider using the app to access your health information. Your health information may include very sensitive information. You should therefore be careful to choose an app with strong privacy and security standards to protect it.
What is the risk of using third-party apps?
Once a member’s information is shared with the third-party app it is no longer protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). BCBSWY is not affiliated with any third-party app and does not review these apps for privacy or security practices.
Not all third-party apps are required to comply with State and Federal privacy or security laws, including HIPAA. In addition, third-party apps do not have to verify that they comply with basic privacy or security standards. Should a member select a third-party app that does not comply, BCBSWY recommends that the member carefully consider their request to share health information with the third-party app and select a different third-party app that has agreed to these basic privacy or security standards.
What does it mean if a third-party app has not verified that it complies with basic privacy or security standards?
The third-party app does not have a publicly available privacy policy, written in plain language, that has been affirmatively shared with the member prior to the member authorizing the third- party app to access their health insurance. To affirmatively share means that the member must take action to indicate that they saw the privacy policy, such as clicking a button or checking a box.
The third-party app privacy policy does not include the following important information:
- How a member’s health information may be accessed, exchanged, or used by the app and other person and entity, including whether the member’s health information may be shared or sold at any time (including in the future).
- A requirement for express consent from a member before the member’s health information is accessed, exchanged, or used, including receiving express consent before a members health information is shared or sold.
- If a third-party app will access any other information from a member’s device(s).
- How a member can discontinue third-party app access to their health information and what the app’s policy and process is for disposing of a member’s data once the member has withdrawn consent.
How does a member know a third-party app has not agreed to State or Federal privacy or security policies?
If a third-party app developer has not agreed to the basic privacy or security standards members will see a disclaimer in red text, as shown in the screen shot below.
What is HIPAA?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.
Are third-party apps covered by HIPAA?
Most third-party apps will not be covered by HIPAA. Most third-party apps will instead fall under the jurisdiction of the Federal Trade Commission (FTC) and the protections provided by
the FTC Act. The FTC Act, among other things, protects against deceptive acts (e.g., if an app shares personal data without permission, despite having a privacy policy that says it will not do so).
The FTC provides information about mobile app privacy and security for consumers at
https://www.consumer.ftc.gov/articles/0018-understanding-mobile-apps
Learn more about the FTC and their third-party app privacy policy and security at https://www.bcbswy.com/third-party-apps-faq/
Can I stop a third-party app accessing my health information? What will happen to a member’s health information after deleting the app?
A member at any time can login into their BCBSWY Member Portal Account and revoke access of a third-party app to their health information. A member can then delete the third-party app from their computer or mobile device. Please note revoking a third-party app from accessing member’s data and deleting the app does not revoke or delete access the app has to the data previously authorized to be accessed by the app. A member should review the privacy policy and practices of this third-party app to understand how their health information will be handled after revoking access.
How do I Revoke Access to a Third-Party App or See a List of Authorized Apps?
- Log into your member portal account: https://www.yourwyoblue.com/home/
- Go to Your Account > Account Settings
- Go to Password & Security
- Go to Data Sharing Authorizations
- Go to Manage Your Access
- Select App being Revoked
Member App Questions
I set up a new third-party app but do not see my health information?
It is recommended that a member confirm they provided an accurate Member Portal username and password to the third-party app. Claims and clinical information, excluding dental and vision, from BCBSWY is provided to members who enrolled through Marketplace. If the problem continues, please reach out to the third-party app directly.
If you are currently enrolled in any other products, other than those found on Marketplace, you will be unable to access claims and clinical information through a third-party app at this time.
Can BCBSWY tell me if the third-party app is sharing my health information outside the app?
BCBSWY is not affiliated with any third-party app and does not review these apps for privacy and security practices. Members need to contact the third-party app directly to verify if and when the third-party app is sharing heath information.
Where can I find the provider and formulary information?
A list of BCBSWY network health care providers can be found here.
A BCBSWY pharmacy guide and formulary information can be found here.
What if I see an error on my health information or information is missing in the third-party app?
Members should contact third-party app directly to get the error corrected. Third-party app developers are not required to display all available claims and clinical information, please refer to the third-party app developer to confirm what data is included.
What if the third-party app is potentially misusing the health information I am sharing?
If a member feels a third-party app is misusing their health information they have access to, the member can discontinue use of the app and/or file a complaint with the Federal Trade Commission (FTC) using their complaint assistant.
What if the third-party app is potentially violating HIPAA privacy?
The Office of Civil Right (OCR) manages HIPAA, if a member believes a third-party app has violated HIPAA privacy policies, they should visit https://www.hhs.gov/hipaa/filing-a-complaint/index.html to learn more about filing a complaint with OCR.
Please note Many third-party apps will not be covered by HIPAA and will fall under the Federal Trade Commission (FTC) and the protections provided by the FTC Act. The FTC Act protects against deceptive acts, such as the third-party app stating it will not share health information and then does.
To learn more about the FTC and their third-party app privacy policy and security go here.
What do I do if I have two insurance plans and want to share health information from both policies?
As of July 1, 2021 the CMS Interoperability Project requires BCBSWY to provide members with patient access to their medical claims and clinical data through a third-party app. The second phase of the project requires health plans to share member data with other health plans, effective January 1, 2022.
Why do I not see all my claims and clinical data in the third-party app?
Currently, only Marketplace medical products are available to be accessed through third-party apps. Dental and Vision information is currently exempt from being shared with third-party apps.
Do I need to be an active BCBSWY member to access data through a third-party app?
Yes, to share data with a third-party app you must be an active member of a BCBSWY medical plan through Marketplace and have a Member Portal username and password. To create a Member Portal Account, register here.
What happens if my third-party app account becomes inactive or password changes?
A member should reach out to the third-party app for assistance in regaining access.
How does this app inform users of changes that could affect its privacy practices?
If the app’s privacy policy does not clearly answer these questions, patients should reconsider using the app to access their health information. Health information is very sensitive information, and patients should be careful to choose apps with strong privacy and security standards to protect it.
What should a member do if they think their data have been breached or an app has used their data inappropriately
Payers should clearly explain to patients what their policy is for filing a complaint with their internal privacy office. In addition, payers should provide information about submitting a complaint to OCR or FTC, as appropriate.
To learn more about filing a complaint with OCR under HIPAA, visit:
https://www.hhs.gov/hipaa/filing-a-complaint/index.html
Individuals can file a complaint with OCR using the OCR complaint portal:
https://ocrportal.hhs.gov/ocr/smartscreen/main.jsf
Individuals can file a complaint with the FTC using the FTC complaint assistant:
https://reportfraud.ftc.gov/#/assistant
What should a patient consider if they are part of an enrollment group?
Some patients, particularly patients who are covered by Qualified Health Plans (QHPs) on the Federally-facilitated Exchanges (FFEs), may be part of an enrollment group where they share the same health plan as multiple members of their tax household. Often, the primary policy holder and other members, can access information for all members of an enrollment group unless a specific request is made to restrict access to member data. Patients should be informed about how their data will be accessed and used if they are part of an enrollment group based on the enrollment group policies of their specific health plan in their specific state. Patients who share a tax household but who do not want to share an enrollment group have the option of enrolling individual household members into separate enrollment groups, even while applying for Exchange coverage and financial assistance on the same application; however, this may result in higher premiums for the household and some members, (i.e. dependent minors, may not be able to enroll in all QHPs in a service area if enrolling in their own enrollment group) and in higher total out-of-pocket expenses if each member has to meet a separate annual limitation on cost sharing (i.e., Maximum Out-of-Pocket (MOOP)).
What are a patient’s rights under the Health Insurance Portability and Accountability Act (HIPAA) and who must follow HIPAA?
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) enforces the HIPAA Privacy, Security, and Breach Notification Rules, and the Patient Safety Act and Rule.
You can find more information about patient rights under HIPAA and who is obligated to follow HIPAA here: https://www.hhs.gov/hipaa/for-individuals/guidance-materials-for-consumers/index.html