Third-party app developers click here

Important Patient Access Application Program Interface (API) Information

Background/Overview

Florida Health Care Plan, Inc., (FHCP) is a health maintenance organization licensed to conduct business in the state of Florida. The Federal Interoperability Rule requires that health plans, like FHCP, make available to their current and former members certain healthcare information through a designated API application (API app) on your smart device. This API app will allow you to access your data via FHCP’s Patient Access API. To access this information, you need to select a third-party API app that will serve as the conduit to your information. This will only be done at your direction and only through the API app that you select. The API app you select will be from a third party. It is not created, maintained, or approved by FHCP.

Selecting an API App

Before you install an API App, here’s what you can do to better protect yourself:

• Use official app stores. To reduce the risk of installing a potentially harmful API app, download the API app only from official app stores, such as your device’s manufacturer or operating system app store. Also, research the developer before installing an API app.
• Know what information the API app will be able to access and how they will use this information. Before you download an API app, read the API app’s privacy policy to see how your data will be accessed and used or if your data will be shared. Is the policy vague about how the API app will share your data? If it is, or if you’re not comfortable with how your information could be shared, you might want to find another API app. If the API app does not have a privacy policy, you may not want to use the API app.
• Check out the permissions. To gain access to information like your location or contacts, or to get access to features like your camera and microphone, all apps need your permission. You may be asked to give permission when you first download the API app, or at the time the API app first tries to access that information or feature. Pay close attention to the permissions the API app requests. For example, does it really need to access your location or photos to do its job?

It is important that you take an active role in protecting your health information. You should look for an easy-to-read privacy policy that clearly explains how the app will use your data. If an app does not have a privacy policy, you should not use the app. You should consider:

• What health data will this app collect? Will this app collect non-health data from my device, such as my location?
• Will my data be stored in a de-identified or anonymized form?
• How will this app use my data?
• Will this app disclose my data to third parties?

• Will this app sell my data for any reason, such as advertising or research?
• Will this app share my data for any reason? If so, with whom? For what purpose?

• How can I limit this app’s use and disclosure of my data?
• What security measures does this app use to protect my data?
• What impact could sharing my data with this app have on others, such as my family members?
• How can I access my data and correct inaccuracies in data retrieved by this app?
• Does this app have a process for collecting and responding to user complaints?
• If I no longer want to use this app, or if I no longer want this app to have access to my health information, how do I terminate the app’s access to my data?

• What is the app’s policy for deleting my data once I terminate access? Do I have to do more than just delete the app from my device?

• How does this app inform users of changes that could affect its privacy practices?

If the app’s privacy policy does not clearly answer these questions, you should reconsider using the app to access your health information. Health information is very sensitive information, and you should be careful to choose apps with strong privacy and security standards to protect it.

Privacy and Security

It’s important to know about privacy settings on API apps. When you download an API app, it may ask for permission to access personal information like contacts, your location, or even your camera. The API app may need this information to make some features work, but they also may share this information with other companies.

Once you have downloaded and installed the API app, there are still some things you can do to protect yourself:

• Review the API app’s permissions. Go to your Settings to review the permissions to make sure the API app doesn’t have access to information or features it doesn’t need. Turn off unnecessary permissions.
• Limit location permissions. Some API apps may have features that need to access your device’s location services. If an API app needs access to your location data to function, think about limiting the access to only when the API app is in use.
• Keep your API app updated. API apps with out-of-date software may be at risk of being hacked. Protect your device from malware by installing API app updates as soon as they’re released.
• Delete the API app if you stop using it. To avoid unnecessary data collection, if you stop using your API app, delete it.

What you should consider if you are part of an enrollment group

You may be part of an enrollment group where you share the same health plan as multiple members of your tax household. Often, the primary policy holder and other members, can access information for all members of an enrollment group unless a specific request is made to restrict access to member data. You should be informed about how your data will be accessed and used if you are part of an enrollment group based on the enrollment group policies of your specific health plan. If you share a tax household but do not want to share an enrollment group you have the option of enrolling individual household members into separate enrollment groups, even while applying for Exchange coverage and financial assistance on the same application; however, this may result in higher premiums for the household and some members, (i.e. dependent minors may not be able to enroll in all QHPs in the service area if enrolling in their own enrollment group) and in higher total out-of-pocket expenses if each member has to meet a separate annual limitation on cost sharing (i.e., Maximum Out-of-Pocket (MOOP)).

API Apps and the Health Insurance Portability and Accountability Act

The Health Insurance Portability and Accountability Act (HIPAA) put in place a number of requirements including rules to protect and secure your health information. These rules apply to Covered Entities, including health plans, providers, and healthcare clearing houses. FHCP’s Notice of Privacy Practices describes many of those requirements and how FHCP complies with them.

The U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) enforces the HIPAA Privacy, Security, and Breach Notification Rules, and the Patient Safety Act and Rule. You can find more information about patient rights under HIPAA and who is obligated to follow HIPAA here: https://www.hhs.gov/hipaa/for-individuals/guidance-materials-for-consumers/index.html

You can find HIPAA FAQs for individuals from HHS here: https://www.hhs.gov/hipaa/for-individuals/faq/index.html

It is unlikely that the developers or suppliers of API apps are Covered Entities, therefore, in most cases, HIPAA will not apply and they will instead fall under the jurisdiction of the Federal Trade Commission (FTC) and the protections provided by the FTC Act. The FTC Act, among other things, protects against deceptive acts (e.g., if an app shares personal data without permission despite having a privacy policy that says it will not do so).

The FTC provides information about mobile app privacy and security for consumers here: https://www.consumer.ftc.gov/articles/0018-understanding-mobile-apps

FHCP strongly encourages you to investigate thoroughly the privacy and security of any API app you may consider. Health information is very sensitive and you should carefully choose API apps with strong privacy and security standards to protect your information.

How to File a Complaint About Your API App

In the event that you have a complaint about the API app that you selected and are unable to resolve the issue with the API app vendor, you have the right to report the issue/complaint to the Federal Trade Commission or the Department of Health and Human Services’ Office of Civil Rights. Those agencies have oversight responsibility for this initiative. They can be reached at:

U.S. Federal Trade Commission
https://reportfraud.ftc.gov/#/
1-877-FTC-HELP

Office for Civil Rights
https://ocrportal.hhs.gov/ocr/smartscreen/main.jsf
1-800-368-1019

To learn more about filing a complaint with OCR under HIPAA, visit: https://www.hhs.gov/hipaa/filing-a-complaint/index.html

Florida Health Care Plans is an independent licensee of the Blue Cross Blue Shield Association servicing Volusia, Flagler, St. Johns, Brevard, and Seminole counties in the state of Florida.