The Interoperability and Patient Access final rule (CMS-9115-F) puts patients first by giving access to payer health information through third-party applications (“apps”) of choice.
For more information, view CMS Interoperability fact sheet.
On May 1, 2020, CMS released the Interoperability and Patient Access final rule, listing ways to give patients better access to electronic health information held by payers or providers.
View the final interoperability rule. Initially only Qualified Health Plan (QHP) customer will be able to take advantage of interoperability Patient Access APIs. View additional privacy and security considerations for using third-party applications.
Developer account and application registration is required. Third-party application developers can create an account and request application registration API access.
Once an account has been successfully created and an application is successfully registered, Patient Access APIs will be made available to allow developers to access documentation and supportive interoperability Patient Access APIs, if WPS maintains the dataset.
Use of registered applications is at the sole discretion of WPS customers, former, present, or future. Applications must obtain direction, approval, and consent from WPS customers or member-authorized personal representative. No member data will be accessible without proper authentication and consent.
Third-party application developers can request registration here.
Patient Access API–Patient Claims, which is member information held by payers (like health plans) and which includes claims data, will be available through Application Program Interfaces (APIs). APIs allow certain third-party applications chosen by the member to connect to the payer’s system to display current and historical information without the need to submit a separate request to the payer for this data.
OneRecord™ app (developer Jennifer Blumenthal)
There will be apps that have significant safeguards in place to prevent the use or sharing of member health data with third parties and which have strong security protections in place. In contrast, there may be apps that allow for the unrestricted use of member health data, including the sale of that data to other parties, and which may be less concerned about data security. WPS is required by law to provide the app access to all of that member’s data if requested by the member (through providing a consent, or “I agree” statement, within the app), which means that certain particularly sensitive health information (such as treatment for sexually-transmitted diseases, mental health and/or substance abuse treatment, etc.) that may otherwise be subject to more stringent protection is also required to be disclosed.
To reiterate, the intent of the Interoperability requirements is to allow customers to consent to various terms regarding the collection, use, and sharing of their personal health information, and also to allow for a less burdensome way for customers to obtain their most current information, but this also presents certain risks to member privacy if Customers do not understand how their information will be collected, stored, used, and/or disclosed.
If you believe an app used your information inappropriately or did not comply with its privacy and security policies, you may reach out to the U.S. Federal Trade Commission (FTC), Office for Civil Rights, HIPAA, Health and Human Services, or your state’s consumer protection agency.
Payers are required to exchange customers’ personal data at the customer's request so customers can take all their data with them as they move between health plans.
Customers can contact their existing or former health plan to authorize consent by completing a consent form (usually a HIPAA authorization form).
WPS will use an encrypted secure file transfer protocol (SFTP) process to exchange customer data electronically.
The consent is a one-time request to share and will remain in effect until the clinical data file is transmitted successfully with the authorized payer, which will occur within one (1) business day of receipt of the fully completed authorization.
WPS acknowledges and protects customers’ rights to revoke their consent; however, revocation of consent cannot apply after the successful transmission of a customer’s data to the authorized health plan as WPS cannot retrieve the information once transmitted.
Yes, a confirmation can be sent via email or mail once your data has been exchanged, if requested.