The mandate
Under CMS’ Interoperability and Patient Access Final Rule, payers offering government-purchased or subsidized plans must make members’ personalized health data available to them via third-party apps by July 1, 2021. In order to enable access, payers must build and implement Application Programming Interfaces (APIs), or standardized data transfer structures. Once implemented, patients can request personal clinical and claims data through third-party apps, introducing a new player to the health data ecosystem.

The problem
While interoperability gives members the opportunity to engage with their own health data, it also makes patient information more vulnerable to privacy risks. On top of apps having access to personalized health information (PHI), data that’s transferred to apps is no longer covered by HIPAA. This removes restrictions on how apps can collect and share PHI, creating opportunities for bad actors to aggregate and use patient data in ways that members are not aware of or did not intend.

The takeaway
While the Interoperability and Prior Authorization rule is not yet finalized, CMS has added a provision requiring payers obtain attestation from apps guaranteeing they follow certain privacy protocols. However, CMS has not specified what privacy protocols should be included and has not amended the circumstances in which a plan can deny apps access to their APIs. To fill this gap in federal guidance, industry groups have stepped in to create their own codes of conduct that cover three key elements of data privacy: disclosure and consent, data management and breach response. Plans must build off of these guidelines to educate their members on how to protect their PHI.