App Developer Patient Access API Attestations
[Covered Health Plan] asks that any App developer planning to access Covered Health Plan’s[1]Patient Access API attest that it complies with the following statements. If you do not attest to compliance with these statements, we will notify any member that requests his/her protected health information using your App of that fact and suggest that the member select an App that has attested to complying with these statements.
- The App has a publicly available privacy policy, written in plain language, that has been affirmatively shared with the member prior to the member authorizing the App access to their health information. To ‘‘affirmatively share’’ means that the member must take an action to indicate s/he saw the privacy policy, such as click or check a box.
- The App’s privacy policy includes, at a minimum, the following important information:
- How a member’s health information may be accessed, exchanged, or used by the App and any other person or entity, including whether the member’s health information may be shared or sold at any time (including in the future);
- A requirement for express consent from a member before the member’s health information is accessed, exchanged, or used, including receiving express consent before a member’s health information is shared or sold (other than disclosures required by law or disclosures necessary in connection with a sale, consolidation, merger, or a similar transaction involving the App owner);
- If an App will access any other information from a member’s device; and
- How a member can discontinue App access to their data and what the App’s policy and process is for disposing of a member’s data once the member has withdrawn consent.
- How a member’s health information may be accessed, exchanged, or used by the App and any other person or entity, including whether the member’s health information may be shared or sold at any time (including in the future);
[1]Covered Health Plan means the entity issuing an insurance plan or product which is subject to CMS programmatic oversight authority and is in scope for the CMS interoperability final rule, including Medicare Advantage, Medicaid, Children’s Health Insurance Program, or a Qualified Health Plan.
