Asuris Northwest Health (“Asuris”) is required to provide you with access to detailed information about your health history through a “Patient Access API.” While you are a current member, you may access this information by downloading a third-party application (the “App”) on your smart phone, tablet, computer or other similar device. The information available through the Patient Access API includes information we collect about you while you have been enrolled with us in certain lines of business since January 1, 2016. The information includes the following information for as long as we maintain it in our records:
- Demographic data and data about your health insurance coverage;
- Claims and “encounter” data¹ concerning your interactions with health care providers; and
Clinical data that we collect in the process of providing case management, care coordination, or other services to you.
The information we will disclose may include your name, address, diagnosis, treatments received, amounts paid to providers, as well as other data. It may include information about treatment for Substance Use Disorders, mental health treatment, HIV status, or other sensitive conditions.
It is important for you to understand that the App you select will have access to all your information. The App is not subject to the HIPAA Rules and other privacy laws, which generally protect your health information. Instead, the App’s privacy policy describes self-imposed limitations on how the App will use, disclose, and (possibly) sell information about you. If you decide to access your information through the Patient Access API, you should carefully review the privacy policy of any App you consider using to ensure you are comfortable with what the App will do with your information. In addition, you should review the App developer attestation list included below this Patient Access API information to know whether the App you have selected has agreed to the following requirements:
1. The App has signed on to the CARIN Alliance Trust Framework and Code of Conduct.
2. The App has a publicly available privacy policy, written in plain language, that has been affirmatively shared with you before you authorize the App to access your information. To ‘‘affirmatively share’’ means that the App requires you to take an action indicating that you saw the privacy policy, such as click or check a box.
3. The App’s privacy policy includes, at a minimum, the following important information:
- How your health information may be accessed, exchanged, or used by any person or other entity, including whether your health information may be shared or sold at any time (including in the future);
- A requirement for your express consent before your health information is accessed, exchanged, or used, including receiving express consent before your health information is shared or sold (other than disclosures required by law or disclosures necessary in connection with the sale of the application or a similar transaction);
- If the App will access any other information from your device; and
How you can discontinue the App’s access to your data and what the App’s policy and process is for disposing of your data once you have revoked your consent to share your data with the App.
If the App you select has not agreed to all these requirements, we suggest that you select another App to best protect your information.
Things you may wish to consider when selecting an App:
- Will this App sell your data for any reason?
- Will this App disclose your data to third parties for purposes such as research or advertising?
- How will this App use your data? For what purposes?
- Will the App allow you to limit how it uses, discloses, or sells your data?
- If you no longer want to use this App, or if you no longer want this App to have access to your health information, can you terminate the App’s access to your data? If so, how difficult will it be to terminate access?
- What is the App’s policy for deleting your data once you terminate access? Do you have to do more than just delete the App from your device?
- How will this App inform you of changes in its privacy practices?
- Will the App collect non-health data from your device, such as your location?
- What security measures does this App use to protect your data?
- What impact could sharing your data with this App have on others, such as your family
members? - Will the App permit you to access your data and correct inaccuracies? (Note that correcting inaccuracies in data collected by the App will not affect inaccuracies in the source of the data.)
Does the App have a process for collecting and responding to user complaints?
If the App’s privacy policy does not satisfactorily answer these questions, you may wish to reconsider using the App to access your health information. Your health information may include very sensitive information. You should therefore be careful to choose an App with strong privacy and security standards to protect it.
Deleting the App will not automatically stop Asuris from sending your data to the App if you have authorized us to send your data to the App. To have Asuris stop sending your data to the App you must revoke your authorization with Asuris.
COMPANY | APP NAME (APP TYPE) | REGISTERED | QUESTION 1 | QUESTION 2 | QUESTION 3 |
---|---|---|---|---|---|
OneRecord | OneRecord (Regular Web-App) | September 14, 2021 | Yes | Yes | Yes |
DrOwl Sandbox | DrOwl Sandbox (Native/Mobile App) | October 8, 2021 | No | Yes | No |
1upHealth Connect API | 1upHealth Connect API (Regular Web-App) | November 18, 2021 | Yes | Yes | Yes |
Mpowered Health | MpoweredHealth (Regular Web-App) | January 6, 2022 | Yes | Yes | Yes |
Optum, Inc. | Optum Behavioral Health Patient App – Salt Lake County Dev (Single-Page App) | January 19, 2022 | No | Yes | Yes |
Optum, Inc. | Optum Behavioral Health Interop Patient Access App Tooele Dev (Native/Mobile App) | February 14, 2022 | No | Yes | Yes |
Optum | Optum Behavioral Health Interop Patient Access App Idaho Dev (Single-Page App) | February 14, 2022 | No | Yes | Yes |
Flexpa | Flexpa (04/08/2022) (Single-Page App) | June 9, 2022 | Yes | Yes | Yes |
Onyx | MoveMyHealthData v1.0 (Regular Web-App) | June 9, 2022 | No | No | Yes |
Crescendo | Crescendo Health (Single-Page App) | June 9, 2022 | Yes | Yes | Yes |
b.well Connected Health | b.well Connected Health (Regular Web-App) | August 2, 2022 | Yes | Yes | Yes |
The Commons Project Foundation | CommonHealth. (Native/Mobile App) | August 8, 2022 | Yes | Yes | Yes |
Mpowered Health | Mpowered Health LLC (Native/Mobile App) | October 3, 2022 | Yes | Yes | Yes |
The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) enforces the HIPAA Privacy, Security, and Breach Notification Rules. Asuris is subject to HIPAA as are most health care providers, such as hospitals, doctors, clinics, and dentists. You can find more information about your rights under HIPAA and who is obligated to comply with HIPAA here: https://www.hhs.gov/hipaa/for-individuals/index.html. To learn more about filing a complaint with OCR related to HIPAA requirements, visit: href: https://www.hhs.gov/hipaa/filing-a-complaint/index.html. You may also report any issues with Asuris by contacting the phone number on the back of your member ID card.
An App generally will not be subject to HIPAA. An App that publishes a privacy notice is required to comply with the terms of its notice, but generally is not subject to other privacy laws. The Federal Trade Commission Act protects against deceptive acts (such as an App that discloses personal data in violation of its privacy notice). An App that violates the terms of its privacy notice is subject to the jurisdiction of the Federal Trade Commission (FTC). The FTC provides information about mobile App privacy and security for consumers here: https://www.consumer.ftc.gov/articles/0018-understanding-mobile-apps.
If you believe an App inappropriately used, disclosed, or sold your information, you should contact the FTC. You may file a complaint with the FTC using the FTC complaint assistant: https://reportfraud.ftc.gov.
¹“Encounter” data is information about office visits and other interactions with providers that are paid for under a monthly (or annual) fee that Asuris pays a provider for furnishing care to members. This type of payment arrangement is referred to as a “capitation arrangement.”