Arkansas Blue Cross and Blue Shield¹ and your rights regarding Patient Access APIs

All health plans in the Unites States who offer Medicare Advantage and Medicare Advantage Part D products, including Arkansas Blue Cross and Blue Shield family of affiliates, are required to provide you with access to detailed information about your health history through a Patient Access Application Programming Interface (API), for third-party apps that you may acquire for your smartphone, tablet, computer or other similar device.

Information available through a Patient Access API may include information we collected as the administrator of your health plan (going as far back as January 1, 2016) and may be available for as long as we maintain it in our records. The information, which may be limited to your current policy, includes the following:

• Claims and data about services performed by and interactions with healthcare providers.
• Clinical data that we collect in the process of providing case management, care coordination or other services to you.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) rules – which apply to Arkansas Blue Cross and its affiliates as covered entities – and other privacy laws also apply to our online portal. This tool is maintained by Arkansas Blue Cross, and we take precautions in its design, security, and upkeep to safeguard your protected health information (PHI).

If you choose a third-party app, it is important to know that it will have access to all of your information. This may include information about treatment for substance use disorders, mental health treatment, HIV status or other sensitive information.

Unlike our online portal, third-party app developers may not be subject to the HIPAA rules and other privacy laws. Instead, the privacy policies of third-party apps from organizations that are not covered entities under HIPAA may simply describe self-imposed limitations on how they will use, disclose and (possibly) sell information about you.

What we ask third-party apps to do

Arkansas Blue Cross requests that third-party app developers:

• Take steps to avoid exposing the information systems of Arkansas Blue Cross and its affiliates to computer viruses or malware that could put your data at risk.
• Describe their internal security environment so Arkansas Blue Cross can assess whether the app developer will expose the Arkansas Blue Cross computer systems to an unreasonable level of risk.
• Notify Arkansas Blue Cross immediately of any security breach that may impact your data.²

Third-party app privacy and security considerations

Of course, we will comply with your wishes regarding a third-party app, even if it does not agree to meet our requested standards. However, if you decide to access your information through a Patient Access API, you should carefully review the privacy policy of any app you are considering using to ensure you are comfortable with what the app will do with your information.

Things you may wish to consider when selecting an app include:

• Will this app sell my data for any reason?
• Will this app disclose my data for purposes such as research or advertising?
• How will this app use my data? For what purposes?
• Will the app allow me to limit how it uses, discloses or sells my data?
• If I no longer want to use this app, or if I no longer want this app to have access to my health information, can I terminate the app’s access to my data? If so, how difficult will it be to terminate access?
• What is the app’s policy for deleting my data once I terminate access? Do I have to do more than just delete the app from my device?
• How will this app inform me of changes in its privacy practices?
• Will the app collect non-health-related data from my device – such as my location?
• What security measures does this app use to protect my data?
• What impact could sharing my data with this app have on others, such as my family members?
• Will the app permit me to access my data and correct inaccuracies? (Note: Correcting inaccuracies in data collected by the app will not necessarily affect inaccuracies in the source of the data.)
• Does the app have a process for collecting and responding to user complaints?

If the app’s privacy policy does not satisfactorily answer these questions, you may wish to reconsider using the app to access your health information. Your health information may include very sensitive information, so you should be careful to choose an app that uses strong privacy and security standards to protect it.

Covered Entities and HIPAA Enforcement

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) enforces the HIPAA Privacy, Security, and Breach Notification Rules. The Arkansas Blue Cross family of affiliates is subject to HIPAA, as are most healthcare providers (hospitals, doctors, clinics, dentists, etc.). You can find more information about PHI protections, covered entities under HIPAA and your healthcare privacy rights by visiting https://www.hhs.gov/hipaa/for-individuals/index.html.

To learn more about filing a HIPAA-related complaint with the HHS Office for Civil Rights, visit the HHS website. You may also file a complaint with your health plan by contacting Arkansas Blue Cross and Blue Shield Privacy Office, P.O. Box 3216, Little Rock, Arkansas 72201, calling 866-254-4001 or sending an email to: [email protected].

Apps and Privacy Enforcement

An app developer generally will not be subject to HIPAA, unless it is developed under the auspices of a health insurer or healthcare provider. An app developer that publishes a privacy notice is required to comply with the terms of that notice, but the app generally is not subject to other privacy laws. The Federal Trade Commission (FTC) Act protects against deceptive acts (such as an app that discloses personal data in violation of its privacy notice). An app that violates the terms of its privacy notice is subject to the jurisdiction of the FTC. The FTC provides information about mobile app privacy and security for consumers on the FTC website.

If you believe an app inappropriately used, disclosed or sold your information, you should contact the FTC. You may file a complaint with the FTC using the FTC complaint assistant.