The Interoperability and Patient Access final rule (CMS-9115-F) puts patients first by giving access to payer health information through third-party applications (“apps”) of choice.
For more information, view CMS Interoperability fact sheet.
On May 1, 2020, CMS released the Interoperability and Patient Access final rule, listing ways to give patients better access to electronic health information held by payers or providers.
View the final interoperability rule. Initially only Qualified Health Plan (QHP) members will be able to take advantage of interoperability Patient Access APIs. View additional privacy and security considerations for using third-party applications.
Developer account and application registration is required. Third-party application developers can create an account and request application registration API access.
Once an account has been successfully created and an application is successfully registered, Patient Access APIs will be made available to allow developers to access documentation and supportive interoperability Patient Access APIs, if WPS maintains the dataset.
Use of registered applications is at the sole discretion of WPS members, former, present, or future. Applications must obtain direction, approval, and consent from WPS members or member-authorized personal representative. No member data will be accessible without proper authentication and consent.
Third-party application developers can request registration here.
Patient Access API–Patient Claims, which is member information held by payers (like health plans) and which includes claims data, will be available through Application Program Interfaces (APIs). APIs allow certain third-party applications chosen by the member to connect to the payer’s system to display current and historical information without the need to submit a separate request to the payer for this data.
There will be apps that have significant safeguards in place to prevent the use or sharing of member health data with third parties and which have strong security protections in place. In contrast, there may be apps that allow for the unrestricted use of member health data, including the sale of that data to other parties, and which may be less concerned about data security. WPS is required by law to provide the app access to all of that member’s data if requested by the member (through providing a consent, or “I agree” statement, within the app), which means that certain particularly sensitive health information (such as treatment for sexually-transmitted diseases, mental health and/or substance abuse treatment, etc.) that may otherwise be subject to more stringent protection is also required to be disclosed.
To reiterate, the intent of the Interoperability requirements is to allow members to consent to various terms regarding the collection, use, and sharing of their personal health information, and also to allow for a less burdensome way for members to obtain their most current information, but this also presents certain risks to member privacy if members do not understand how their information will be collected, stored, used, and/or disclosed.
If you believe an app used your information inappropriately or did not comply with its privacy and security policies, you may reach out to the U.S. Federal Trade Commission (FTC), Office for Civil Rights, HIPAA, Health and Human Services, or your state’s consumer protection agency.