CMS patient access API

This page describes the Centers for Medicare & Medicaid Services (CMS) Patient Access API Mandate, risks and benefits for members and outlines support channels for issues with sharing member data with third-party apps.

API information for developers

The 21st Century Cures Act and the CMS Patient Access Final Rule

In December 2016, the 21st Century Cures Act was signed into law with several important goals, including increased patient access to their own health data. CMS created rules to further this goal. This is known as the CMS Interoperability and Patient Access final rule (CMS-9115- F). In order to increase patients' access to their health data, the rule requires health insurance plans to give members access and the ability to share their health plan data with third-party applications of their choice. 

What does this mean for you and your health plan?

We are committed to making sure that you have access to the information that you need to make decisions about your health. What this means is that we must make all of your claims and clinical data that we have in our systems available for you to access through the third-party applications of your choosing. 

We have contracted with 1upHealth, an industry leader in healthcare data integrations, and a cutting-edge data standard called FHIR, to give you access and the ability to share your data. If you choose to access your healthcare data through an application such as MyChart, Apple Health, or FitBit, you will ask to connect these applications using the 1upHealth platform. To do this, you must confirm your identity for 1upHealth and our company by entering the user ID and password that you use to log into your member portal. After we verify your identity, we will share your healthcare data with the application you have chosen.  

Why share your data? Benefits and risks

There are many potential benefits to this new way to access and share your health information. Take a look at our app gallery for a sampling of the third-party applications that are being developed to help you better use this information. Some apps allow you to combine your data from multiple health providers to create a complete record of your interactions with different doctors and hospitals and even combine it with data you generate on your own from wearable devices like glucose meters, pedometers or heart rate monitors. 

Some other common uses include: 

  • Prescription drug management
  • Chronic disease management 
  • Nutrition tracking
  • Care coordination

Data sharing empowers you to have greater ownership of and visibility into your health data.

However, these benefits are not without some risk. We take your privacy and the security of your health information as seriously as you do. That's why we never share your health information without your express permission. We protect your data throughout the process of sharing it in several ways, including using challenge questions and multi-factor authentication to confirm you – and no one else – can access and share your data. 

It is important to understand, though, that once your data is shared with an application, we are no longer able to protect the security of that data. This is why it is important to read the privacy and security policies for any application you are considering sharing your data with, so you understand how it is protected and used by that application.

Things you should consider when selecting an app to share your data

  • Will this app sell my data for any reason?
  • Will this app disclose my data to third parties for purposes such as research or advertising?
  • How will this app use my data? For what purposes?
  • Will the app allow me to limit how it uses, discloses, or sells my data?
  • If I no longer want to use this app, or if I no longer want this app to have access to my health information, can I terminate the app's access to my data? If so, how difficult will it be to terminate access?
  • What is the app's policy for deleting my data once I terminate access? Do I have to do more than just delete the app from my device?
  • How will this app inform me of changes in its privacy practices?
  • Will the app collect non-health data from my device, such as my location?
  • What security measures does this app use to protect my data?
  • What impact could sharing my data with this app have on others, such as my family members?
  • Will the app permit me to access my data and correct inaccuracies?
  • Does the app have a process for collecting and responding to user complaints?

Covered Entities and HIPAA Enforcement

The U.S. Department of Health and Human Services' Office for Civil Rights (OCR) enforces the HIPAA Privacy, Security, and Breach Notification Rules. Medica Health Plans is subject to HIPAA as are most healthcare providers, such as hospitals, doctors, clinics, and dentists. You can find more information about your rights under HIPAA and who is obligated to comply with HIPAA for individuals. To learn more about filing a complaint with OCR related to HIPAA requirements, visit the U.S. Department of Health & Human Services website.

Apps and Privacy Enforcement

An app generally will not be subject to HIPAA. An app that publishes a privacy notice is required to comply with the terms of its notice, but generally is not subject to other privacy laws. The Federal Trade Commission Act protects against deceptive acts (such as an app that discloses personal data in violation of its privacy notice). An app that violates the terms of its privacy notice is subject to the jurisdiction of the Federal Trade Commission (FTC). The FTC provides information about mobile app privacy and security for consumers. If you believe an app inappropriately used, disclosed, or sold your information, you should contact the FTC. You may file a complaint with the FTC using the FTC complaint webpage.