My Health Data gives digital access to your health data when and where you need it. Blue KC provides important information here for members.
We believe member health data, such as their electronic health records, should be available and accessible with a member’s consent. This information can then be accurately interpreted in an electronic format if a member chooses to grant access (such as through digital healthcare applications).
My Health Data
We’re enhancing the way you access your health information to help you get the care you need when you need it.
Introduction
Blue KC is leading the healthcare industry in finding ways to provide you with digital access to your healthcare data. You bank online, shop online, and can get a degree online, so we believe it’s time that you’re at the center of your own care and can digitally obtain a complete view of your health information.
Blue KC believes you own and should have access to your healthcare information, and should be able to:
Easily retrieve all healthcare data that is meaningful or actionable and share that information securely with whom you choose.
Be able to use apps or devices to access your healthcare data to better understand, analyze, track and manage your healthcare needs.
What Is Interoperability?
Interoperability is the ability for electronic systems to be able to communicate and exchange data in the same way, which will make it for app developers to create connections to Blue KC and your health data. Interoperability empowers members, which leads to better health, improved affordability and stronger communities.
The Centers for Medicare & Medicaid Services put forth new rules that create a more consistent framework for interoperability and shifted responsibility of your health care data to you as the member and owner of that data. Part of these changes include a simplified and consistent mechanism for apps to be able to ask you to allow their app to access your data.
This shift in responsibility for protecting your data means that you as the member have more control over who can access your health care data and you have more responsibility to protect your health care data. Blue KC believes it’s important to provide you with educational resources concerning the privacy and security of your protected health information in the context of disclosures of your information to third-party apps.
Blue KC Patient Access API
Blue KC is required to provide a “Patient Access API.” This provides a simple way for apps to access your data when you allow them to do so. No app can access your data through the “Patient Access API” without you providing explicit permission. The value of the “Patient Access API” is that it makes it much cheaper and easier for apps to be developed that can access your data when you allow them to.
If you wish to access your data directly you can do so through our member portal at . The “Patient Access API” is specifically for applications as an API is a mechanism for software to communicate with other software. Access to your data is controlled by the same username and password as your access to the member portal with the addition of multifactor authentication. This means you will need Microsoft authenticator installed on a mobile device or set up SMS one-time pins to authorize and app to access your data. This is part of Blue KC helping you to protect your data and ensure that only apps you authorize can access your health data.
You can take advantage of these capabilities by downloading an Application (App) on your smart phone, tablet, computer or other similar device and checking to see if they have created a connection to Blue KC. If they have then you can authorize the app to access your health data. The information available through the Patient Access API includes information we collect about you while you have been enrolled in certain lines of business since January 1, 2016. The information includes the following information for as long as we maintain it in our records:
Claims and “encounter” data* concerning your interactions with health care providers; and
Clinical data that we collect in the process of providing case management, care coordination, or other services to you.
* “Encounter” data is information about office visits and other interactions with providers that are paid for under a monthly (or annual) fee that Blue KC pays a provider for furnishing care to members. This type of payment arrangement is referred to as a “capitation arrangement.”
The information we will disclose may include information about treatment for Substance Use Disorders, mental health treatment, HIV status, or other sensitive information.
What Are My Responsibilities with Interoperability?
It is important for you to understand that the App you select will have access to ALL of your information. The App is NOT subject to the Health Insurance Portability and Accountability Act (HIPAA) Rules and other privacy laws, which generally protect your health information. Instead, the App’s privacy policy describes self-imposed limitations on how the App will use, disclose, and (possibly) sell information about you. If you decide to access your information through the Patient Access API, you should carefully review the privacy policy of any App you are considering using to ensure you are comfortable with what the App will do with your information.
Centers for Medicare & Medicaid Services rules on interoperability limit what health insurance companies can do to stop apps from asking you to access your health data. What Blue KC can do under the rules is ask the app to promise that they will have a privacy policy and follow good practices on protecting your data. This process of asking the app about this is called “Attestation.”. An app developer may simply not respond to our request or may indicate that they do not follow the best practices that we’ve outlined. If such and app asks for access to your data you will receive a warning message that looks like this:
Things You May Wish to Consider When Selecting an App
Will this App SELL my data for any reason?
Will this App DISCLOSE my data to third parties for purposes such as research or advertising?
How will this App USE my data? For what purposes?
Will the App allow me to limit how it uses, discloses, or sells my data?
If I no longer want to use this App, or if I no longer want this App to have access to my health information, can I terminate the App’s access to my data? If so, how difficult will it be to terminate access?
What is the App’s policy for DELETING my data once I terminate access? Do I have to do more than just delete the App from my device?
How will this App inform me of changes in its privacy practices?
Will the App collect non-health data from my device, such as my location?
What security measures does this App use to protect my data?
What impact could sharing my data with this App have on others, such as my family members?
Will the App permit me to access my data and correct inaccuracies? (Note that correcting inaccuracies in data collected by the App will not affect inaccuracies in the source of the data.)
Does the App have a process for collecting and responding to user complaints?
If the App’s privacy policy does not satisfactorily answer these questions, you may wish to reconsider using the App to access your health information. Your health information may include very sensitive information. You should therefore be careful to choose an App with strong privacy and security standards to protect it.
Covered Entities and HIPAA Enforcement
The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) enforces the HIPAA Privacy, Security, and Breach Notification Rules. Blue KC is subject to HIPAA as are most health care providers, such as hospitals, doctors, clinics, and dentists. You can find more information about your rights under HIPAA and who is obligated to comply with HIPAA here: https://www.hhs.gov/hipaa/for-individuals/index.html. To learn more about filing a complaint with OCR related to HIPAA requirements, visit: https://www.hhs.gov/hipaa/filing-a-complaint/index.html. You may also file a complaint with Blue KC by contacting Customer Service at 888-989-8842.
Apps and Privacy Enforcement
An App generally WILL NOT be subject to HIPAA. An App that publishes a privacy notice is required to comply with the terms of its notice, but generally is not subject to other privacy laws. The Federal Trade Commission Act protects against deceptive acts (such as an App that discloses personal data in violation of its privacy notice). An App that violates the terms of its privacy notice is subject to the jurisdiction of the Federal Trade Commission (FTC). The FTC provides information about mobile App privacy and security for consumers here: https://www.consumer.ftc.gov/articles/0018-understanding-mobile-apps. If you believe an App inappropriately used, disclosed, or sold your information, you should contact the FTC. You may file a complaint with the FTC using the FTC complaint assistant: https://reportfraud.ftc.gov/#/.
Interoperability is the ability of different information systems, devices, and apps to access, exchange, integrate and use data in a coordinated manner to provide timely and seamless portability of information and optimize the health of individuals and populations. Basically, interoperability refers to the ability of two electronic systems to interact with one another. Usually, this means creating standards around data formatting and structure and defined patterns on how to access the data. An example of interoperability is the special formatting of the routing number and account number on paper checks so that any bank can read that information from a check issued by any other bank. The Centers for Medicare and Medicaid Services (CMS) has provided specific rules for interoperability that require data from health insurance companies to be formatted and presented in a consistent way so that systems permitted to utilize that data can do so in a standard fashion.
What does Interoperability mean for me?
Blue Cross & Blue Shield of Kansas City (Blue KC) is committed to the idea that you own your own health data and should be able to consume it and use it as you desire. The interoperability standards defined by the government will make it easier and cheaper for others to develop applications or mobile apps that can look at your health data to help you make better decisions about your health care needs and health care spending. This means for you, as a member, you may be prompted to allow an application to access your health data from Blue KC. You get to decide if you want to allow this and use the services that the app provides, giving you more freedom and more choices on how to use your health data.
What are some benefits of Interoperability?
The goal of you controlling your health data is to open options for how you can make better use of your data. If you want to find out who sells a prescription for the lowest price in your area or a list of nearby pharmacies that accept your insurance plan there is an app that can help. If you want to see your latest health care expenses or your remaining deductible there is an app for that. Many of these things can already be found on our member portal at https://member.bluekc.com, but should you desire to access this through a third-party application that also accesses your health care records from your physician, interoperability will help make that possible.
What is meant by the term “app”?
The term “app” is short for “application,” which is how people interact with computers and mobile devices. So “app” is a computer program for interacting with people. Often this is called “software” as it is the set of instructions that control how the hardware, or physical device, behaves. Spreadsheets, word processing programs, browsers and email clients are all “applications.” On your mobile device, the various icons on your home screen that allow you to interact on your phone are all “apps.” Often “app” refers to an application on a mobile device, but in general, it is just software, or a computer program, designed for human interaction.
How does an app get my data from Blue KC?
Third party apps cannot get access to your Blue KC health data unless you grant them permission to do so. The app will prompt you to authorize the app to get your health data from Blue KC. The prompt will open a logon page controlled and owned by Blue KC. Your username and password are the same as the username and password used on the Blue KC member portal. The process will prompt you to provide consent for the app to access your data or for members that you represent, such as a child, on your policy. Once that is done, the app will be able to get your health data from Blue KC.
How does interoperability relate to my health data?
Interoperability makes it easier for third party apps to access your health data. Your health data exists separately from interoperability, but interoperability makes it much easier for apps to consume your health data and for you to authorize and allow an app to access your health data.
Can other people access my data?
Your Blue KC health data is yours and only people or apps you authorize can access it. Blue KC is committed to helping you keep your data safe. Interoperability provides certain controls around access to your health data. Other people cannot authorize access to your health data unless they have legal authority to authorize access to your health data (e.g., a personal representative).
Are there risks to letting an app access My Health Data?
Blue KC is committed to helping you protect your health data, but interoperability rules prevent us from blocking apps from requesting you to let the app access your health data. It is important to carefully consider which apps you trust to access your health data. Consider looking at the apps’ privacy policy if the app can sell your data and whether or not you trust the app publishers. Only use apps that are trusted and well known.
Things you may wish to consider when selecting an App:
Will this App sell my data for any reason?
Will this App disclose my data to third parties for purposes such as research or advertising?
How will this App use my data? For what purposes?
Will the App allow me to limit how it uses, discloses, or sells my data?
What does Blue KC do to protect my data?
Blue KC is at helping to lead the industry by ensuring that data is protected by strong encryption while in transit and strong authentication when transmitted to third party applications. Protecting your data is a priority at Blue KC. There are government regulations that also help ensure your data is protected by health care and insurance companies. One of those regulations is known as the Health Insurance Portability and Accountability Act or HIPAA.
Your personal health data is protected while in Blue KC systems by HIPAA. All health care providers such as hospitals, doctors, clinics, and dentists are subjected to HIPAA and are required to keep your information safe.
Each app creates a privacy policy and other policies that explain how they will use your health data and whether they can sell your health data to others. These policies control what they will do with your data, so it is important that you understand what you are agreeing to when you download a third-party app.
The app is also responsible for reporting inadvertent disclosure of your health data to you and appropriate government authorities. Interoperability means that Blue KC has virtually no control over which apps can ask you for access to your data, so the responsibility shifts to you to decide which apps you want to access your health data.
Once you choose to allow an app to have access to your personal heath data, that data is no longer protected by HIPAA or Blue KC.
For most hospitals, doctors’ offices, and health insurance companies, HIPAA governs the privacy and security of health records stored online. But many web-based businesses that collect people’s health information are not covered by HIPAA. These include online services people use to keep track of their health information and online applications that interact with those services.
The Federal Trade Commission (FTC), the nation’s consumer protection agency, has issued the Health Breach Notification Rule to require certain businesses not covered by HIPAA to notify their customers and others if there is a breach of unsecured, individually identifiable electronic health information. FTC enforcement began on February 22, 2010.
You can find more information regarding the FTC here:
By agreeing to share your data with an app, you authorize Blue KC to disclose certain information, which may include your name, address, diagnoses, treatments performed on you, amounts paid to providers, etc. Other information that could be disclosed might include claims and encounter data related to your interactions with health care providers, and clinical data that we collect in the process of providing case management, care coordination, or other services to you. The information we will disclose may include information about treatment for Substance Use Disorders, mental health treatment, HIV status, or other sensitive information.
How far back will this data go?
Blue KC will include information we collect about you while you have been enrolled in all Lines of Business that relate to your membership(s) with Blue KC since January 1, 2016, for as long as we maintain the information.
What do I do if I no longer want the app to have access to my information?
There are two steps.
The first step is to stop the app from accessing any data immediately. You can do this by contacting Customer Service by clicking the link listed here: https://www.bluekc.com/consumer/contact.html or contact Customer Service via an email form in the member portal at: /contact-us-dashboard. Select HIPAA in the drop down and mention which app(s) you want to stop being able to access your data in the form.
The second step is to contact the app and ask them to delete your data. Each app is voluntarily complying with their own privacy policy which includes data retention policies. Contact the company that publishes the app and follow their procedure for removal of your data from their records.
