Interoperability Customer Resources



Customer Navigation

Interoperability—FAQs


Third Party Apps—FAQs

The Interoperability and Patient Access final rule (CMS-9115-F) puts patients first by giving access to payer health information through third-party applications (“apps”) of choice.

For more information, view Interoperability fact sheet.

On May 1, 2020, CMS released the Interoperability and Patient Access final rule, listing ways to give patients better access to electronic health information held by payers or providers.

View the final interoperability rule. Initially only Qualified Health Plan (QHP) customers will be able to take advantage of interoperability Patient Access Application Programming Interfaces (APIs). View additional privacy and security considerations for using third-party applications.

Developer account and application registration is required. Third-party application developers can create an account and request access to application registration.

Once an account has been successfully created and an application is successfully registered, Patient Access APIs will be made available to allow developers to access documentation and supportive interoperability Patient Access APIs, if WPS maintains the dataset.

Use of registered applications is at the sole discretion of WPS customers, former, present, or future. Applications must obtain direction, approval, and consent from WPS customers or a customer-authorized personal representative. No customer data will be accessible without proper authentication and consent.

Third-party application developers can request registration here.

Patient Access API–Patient Claims, which is customer information held by payers (like health plans) and which includes claims data, will be available through Application Program Interfaces (APIs). APIs allow certain third-party applications chosen by the customer to connect to the payer’s system to display current and historical information without the need to submit a separate request to the payer for this data.

Ensuring the privacy and security of customer information is a priority for WPS. WPS is responsible for compliance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended, which means we are required by law to take certain steps to safeguard the privacy and security of our customers’ data. Not all third-party apps are required to comply with HIPAA, and the interoperability rules only allow WPS to refuse to integrate with apps in very limited circumstances. Because of this, customers are strongly encouraged to read their chosen third-party app Privacy Policy and Terms of Use prior to consenting to that app receiving customers’ health information, as WPS cannot control how that specific third-party app uses, stores, and/or discloses customer health information.

Customers are encouraged to read the third-party app Privacy Policies and Terms of Use before a third-party app can gain access to the health data WPS stores as a payer. Customers must download the app of choice and follow the app’s steps to connect to WPS. Customers will be prompted to provide the information necessary for WPS to confirm that the request is valid (including identity verification), and then additionally consent to the release of relevant WPS payer health data to that app.

The OneRecord™ app (developer Jennifer Blumenthal) is registered with WPS Health Insurance and WPS Health Plan.

It depends on the app’s policy. Customers are encouraged to read the third-party app’s Privacy Policies and Terms of Use when choosing to share payer health data with a third-party app. Any opt-out or restriction may not apply to data already transmitted to the third-party app based on a customer's consent and, instead, any opt-out or further restriction would be subject to that app’s Privacy Policy, Terms of Use, and/or other conditions.

Customers are very strongly encouraged to read their chosen app’s Privacy Policy, Terms of Use, and/or other conditions when choosing to share payer health data with that app. Third-party app policies will determine what payer health data will be collected, stored, maintained and/or shared once consent is granted. This is likely to vary significantly, depending on the app and whether it’s provided by an entity otherwise subject to HIPAA.

There will be apps that have significant safeguards in place to prevent the use or sharing of customer health data with third parties and which have strong security protections in place. In contrast, there may be apps that allow for the unrestricted use of customer health data, including the sale of that data to other parties, and which may be less concerned about data security. WPS is required by law to provide the app access to all of that customer’s data if requested by the customer (through providing a consent, or “I agree” statement, within the app). That means that certain particularly sensitive health information—such as treatment for sexually transmitted diseases, mental health and/or substance abuse treatment, etc.—which may otherwise be subject to more stringent protection, is also required to be disclosed.

To reiterate, the intent of the interoperability requirements is to allow customers to consent to various terms regarding the collection, use, and sharing of their personal health information. It also allows for a less burdensome way for customers to obtain their most current information. This also presents certain risks to customer privacy if customers do not understand how their information will be collected, stored, used, and/or disclosed.

It depends. The third-party app Privacy Policy, Terms of Use, and/or other conditions will determine what non-health data will be collected, stored, maintained, and/or shared once consent is granted. Again, please thoroughly read the Privacy Policy, Terms of Use, and/or other conditions of any third-party app you are considering using.

Specific third-party app policies will determine what security provisions are in place to protect the customer health data that will be collected, stored, maintained, and/or shared once consent is granted. By law, WPS can only restrict the sharing of data with a particular app if doing so would risk the security of WPS data systems, not if it would risk the security or privacy of customer data once that information is released from WPS to the app based on customer consent. Because of this, it is extremely important that customers read and understand their chosen third-party app’s Privacy Policy, Terms of Use, and/or other conditions, including by review of any security safeguards. WPS understands that some of this information may be “technical” and use terms customers may not be familiar with. If customers have questions, WPS encourages outreach directly to the app provider.

Based on the individual third-party app policies and protocols, customers may need to disable permissions for the third-party app within certain settings, then delete the app, and/or follow instructions provided within the app’s Privacy Policy, Terms of Use, and/or other conditions. Some third-party apps may require a written request to stop sharing data and/or to destroy any customer data.

If you believe an app used your information inappropriately or did not comply with its privacy and security policies, you may reach out to the U.S. Federal Trade Commission (FTC), Office for Civil Rights, HIPAA, Health and Human Services, or your state’s consumer protection agency.

Payer-to-Payer Data Exchanges—FAQs

Payers are required to exchange customers’ personal data at the customer's request so customers can take all their data with them as they move between health plans.

Customers can contact their existing or former health plan to authorize consent by completing a consent form (usually a HIPAA authorization form).

WPS will use an encrypted secure file transfer protocol (SFTP) process to exchange customer data electronically.

The consent is a one-time request to share and will remain in effect until the clinical data file is transmitted successfully with the authorized payer, which will occur within one (1) business day of receipt of the fully completed authorization.

WPS acknowledges and protects customers’ rights to revoke their consent; however, revocation of consent cannot apply after the successful transmission of a customer’s data to the authorized health plan as WPS cannot retrieve the information once transmitted.

Yes, a confirmation can be sent via email or mail once your data has been exchanged, if requested.

WPS Health Insurance and WPS Health Plan customers or other payers can make a payer-to-payer exchange request here.

Is your doctor in your network?