Background:

In May 2020, the Centers for Medicare and Medicaid Services (CMS) created a new rule called CMS Interoperability. This rule gives members the right to see their own healthcare records. It also says that you are the owner of your healthcare information, meaning you decide where it goes and share it with certain applications or services if you choose. This makes it easier for members to manage their own healthcare and get the information they need.
The Tehama County Health Services Agency offers our members the capability to access their personal healthcare information through a third-party application on your mobile device or computer, referred to here as [your App]. This access allows you to make more informed decisions about your behavioral health or substance use treatment.
To provide this access, the Department utilizes a Patient Access Application Programming Interface (API).

API Access to Records & Alternate Access to Records

Members may access their health records, as well as claims data, by selecting an API to access information through an [your App] on a device/cell phone or by requesting them from TCHSA in person at any TCHSA site, or by mailing in the “Request for Access to Medical Information” form to Tehama County Health Services Agency (TCHSA), Medical Information Request, P.O. Box 400, Red Bluff, CA 96080.
Health records data from June 1, 2022, to present are accessible through an API you may choose to select.
Claims data from July 1, 2024, to present are accessible through an API you may choose to select.
Record and claims data not available via API are available by requesting from TCHSA in person at any TCHSA site, or by mailing in the “Request for Access to Medical Information” form to Tehama County Health Services Agency (TCHSA), Medical Information Request, P.O. Box 400, Red Bluff, CA 96080.

What is an API?

An API is a tool that allows two systems to exchange information with each other. For example, when you send a message using your cell phone, an API facilitates communication between devices. Similarly, the Patient Access API enables the Department to securely share your healthcare information with [your App].

What is a Third-Party Application?

Third-Party applications are software or tools that are not developed by the Tehama County Health Services Agency but developed by some other entities. These applications can use data from Patient Access API by offering extra services or features to members.

Some examples of Third-Party applications include:

• Health Apps: These can assist our members to keep track of their health, manage medications, or find healthcare providers.
• Fitness Trackers: These devices can connect with the Patient Access API to share health data and provide members with better insight into their fitness.
• Financial Management Tools: These can assist our members in understanding healthcare costs and managing their health insurance plans.

In simple terms, third-party applications act as a bridge by connecting our members with their healthcare information.

The Tehama County Health Services Agency works with the member’s chosen third-party application to share their healthcare information safely and securely using the Patient Access API.

What is Healthcare Data?

Healthcare data includes information about your behavioral health or substance use treatment. This data is shared with us by your healthcare provider and includes information such as:

• Your name, address, and date of birth.
• Medical information, such as tests you have undergone, medical conditions you have experienced, and your insurance details.

Benefits of API Data Exchange for Members

Sharing data through an API offers many benefits for members and their healthcare providers.

For Members: It makes getting your healthcare information faster and easier, helping you make better decisions about your treatment.

1. Improved Access to Healthcare Information

1. Real-time Access: Members can access their healthcare records at any time, from anywhere.
2. Consolidated View: Members’ healthcare information is in one place, making it easier to manage.

1. Enhanced Member Engagement

1. Increased Involvement: Members can take a more active role in their healthcare by accessing their data.
2. Better Decision Making: Having accurate information helps members make smarter decisions regarding their healthcare.

For Providers: Providers can use this data to deliver care that is more personalized and accurate based on the member’s needs.

1. Improved Coordination

1. Streamlined Communication: Providers can share information faster and easier for better coordination.
2. Reduced Errors: Up to date information lowers the chance of mistakes in the member’s healthcare.

1. Increased Efficiency

1. Reduced Administrative Tasks: Saves time by cutting down on manual data entry.
2. Faster Access to Care: Members can receive treatment faster when providers have member’s healthcare information readily available.

1. Greater Privacy and Security

1. Improved Control: Members have more say in how their healthcare information is shared.
2. Enhanced Security: APIs offer a safer way to exchange data compared to traditional methods.

This safe and quick data sharing helps members and providers collaborate for better healthcare outcomes.

Privacy and Security

The Patient Access API allows the Tehama County Health Services Agency to share your healthcare data with third-party applications. You get to decide which application to use. Remember, the department has no control over what the application does with your healthcare data once you share it. It is important to choose wisely and understand how the application will handle your information.

To keep your healthcare information safe, the department suggests following these guidelines:

• Choose trusted apps: Before sharing your healthcare information, make sure the app is secure and has good privacy policies.
• Read the privacy policy: Check how the app will use and protect your data before you decide to share it.
• Keep your login information private: Never share your passwords or personal details with anyone.
• Update your apps: Make sure the apps you use are up to date, so they have the latest security protections.
• Review your shared data: Check regularly to see what information you’ve shared and whether you will want the app to have access.

Following these steps can help keep your healthcare information safe and private.

What Should I Look for when choosing a third-party application?

When you allow [your App] to access your healthcare information, it will have full access to your information. It is important to choose a trusted application and take steps to understand how it uses your data. Below are some tips to help members decide:

1. Read the Privacy Policy
   1. Check the application’s privacy policy to see how it collects, uses, and protects your data.
   2. If the application has a privacy notice, it must follow what it says.
2. Research and Review
   1. Look for applications with a strong reputation for security and privacy. You can read reviews or check recommendations.
3. Check for Certifications
   1. Look for certifications like HIPAA compliance, which shows the application meets certain security and privacy standards.

Before choosing a third-party app, it’s a good idea to ask some important questions to make sure your healthcare information stays safe. Here are some things to think about:

• What healthcare data will the app collect? Will it also gather other information, like my location?
• Will my data be anonymous? Will the app store my information in a way that keeps my identity hidden?
• How will the app use my data? Will it share my information with other companies or people?
• Will the app sell my data? Could my information be used for advertising or research?
• Who else will see my data? If the app shares it, who will get access and why?
• Can I control how my data is used? Does the app give me choices about sharing or protecting my data?
• How can I limit sharing? What options do you have to stop or reduce how your data is used?
• How does the app protect my data? What security measures does it use? Could sharing affect others? Will using the app impact family members or other people?
• Can I correct mistakes in my data? If the app has wrong information about me, how can I fix it?
• Does the app handle complaints? If I have concerns, does the app have a way to respond?
• How can I stop using the app? If I change my mind, how do I remove the app’s access to your healthcare information?
• What happens to my data if I delete the app? Will my information be erased, or do I need to do more?
• Will the app tell me about privacy changes? If the app updates its policies, how will I be informed?

If an app doesn’t clearly answer these questions in its privacy policy, you might want to reconsider using it. Healthcare data is very private and should be protected with strong security. For more tips from the Federal Trade Commission (FTC), check out their guide: How Websites and Apps Collect and Use Your Information | Consumer Advice

Applications and Health Insurance Portability and Accountability Act (HIPAA):

HIPAA is a federal law that protects your health information. Under HIPAA, the Tehama County Health Services Agency cannot share your healthcare information unless it is for healthcare treatment, payment, operations, or other purposes permitted by federal law.

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) makes sure that important rules, like HIPAA Privacy, Security, and Breach Notification Rules, are followed. These rules help protect your health information and keep it safe. They also enforce the Patient Safety Act and Rule to make sure members are protected. To learn more about your rights under HIPAA, you can visit: HIPAA for Individuals | HHS.gov

Most third-party applications are not protected by HIPAA, the law that keeps your healthcare information private. Instead, they must follow rules from the Federal Trade Commission (FTC) under the FTC Act. This law helps protect you from dishonest actions. For example, if an app promises not to share your personal data but does anyway, the FTC can take action. To learn more about mobile app privacy and security, check out the helpful FTC guide: How Websites and Apps Collect and Use Your Information | Consumer Advice

Is sharing my healthcare information online safe?

When making decisions about your health, it is important to share your healthcare information only with people and apps you trust. This includes family, doctors, or others who help take care of you.

To keep your information safe, the department suggests following the safeguards below:

• Only use trusted health apps or software to manage your healthcare information.
• Keep your log-in and password information private. Never share your log-in or password with anyone.
• Store paper records in a secure location, such as in a locked filing cabinet or a safe.
• Purchase virus protection software for your computer.
• Avoid sending sensitive information via email unless it is protected with a strong password.

To learn more information regarding online security refer to How Websites and Apps Collect and Use Your Information | Consumer Advice.

Can minors share their PHI?

Members who are 12 years of age or younger cannot share their health data through a third-party health app without the approval of a parent, guardian, or other authorized representative. Until a HIPAA authorization form is filed with the Tehama County Health Services Agency, only Explanation of Benefits (EOB) information will be accessible through a health app.

This ensures that the privacy and security of health information for young members are properly safeguarded. For more details or assistance, please contact the Tehama County Health Services Agency.

HIPAA-Covered Entities: A Breakdown

Some organizations and people must follow HIPAA rules, meaning they must protect healthcare information. These are called HIPAA-Covered entities. Below is a breakdown of HIPAA-Covered entities and Non-HIPAA-Covered entities:

Organizations Covered by HIPAA:

• Health Plan: These include insurance companies, Medicaid, Medicare, and health maintenance organizations (HMOs).
• Healthcare Providers: These include doctors, hospitals, clinics, nursing homes, and dentists.
• Healthcare Clearinghouses: These include groups that process healthcare claims between providers and insurance companies.

Organizations NOT Covered by HIPAA:

• Life Insurers: Even though they handle healthcare information, they aren’t covered unless they provide healthcare services.
• Disability Insurers: Like life insurers, they aren’t covered unless they provide healthcare services.
• Workers Compensation Insurers: They often deal with work related injury healthcare information but are generally not covered by HIPAA.

Individuals Who Are NOT Covered:

• Members: While members have rights under HIPAA, they do not have to follow its rules themselves.
• Family Members: Unless authorized to act on behalf of the member, family members are not covered by HIPAA.

Note: Since there could be exceptions, it is always a good idea to check with a legal expert if you’re unsure whether HIPAA applies to a certain group or person.

Office for Civil Rights (OCR) and Federal Trade Commission (FTC)

The Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) both help make sure organizations follow HIPAA rules, but they have different responsibilities.

Office for Civil Rights (OCR)

• Enforcing HIPAA Rules: The OCR makes sure healthcare information stays private and secure. They investigate complaints, check if organizations follow the rules and can impose fines for organizations that do not.
• Education and Guidance: The OCR provides helpful resources and information to organizations, so they understand and follow HIPAA regulations.
• Technical Assistance: The OCR helps organizations develop plans to stay compliant with HIPAA.

Federal Trade Commission (FTC)

• Stopping Unfair or Dishonest Practices: The FTC works to prevent unfair or misleading practices. If an organization lies about how it protects healthcare information, the FTC can take action.
• Protecting Consumers: The FTC helps make sure people can access their healthcare information and that their information is not shared or used improperly.

Key Differences:

While both OCR and FTC are involved in HIPAA oversight, their primary areas of focus differ:

• OCR: Focuses on enforcing HIPAA rules, educating organizations, and offering guidance.
• FTC: Focuses on stopping dishonest health-related practices and protecting consumer rights.

Sometimes, OCR and the FTC work together if a case involves both HIPAA violations and consumer protection concerns. Their goal is to keep healthcare information safe and make sure organizations follow the law.

How to File a Complaint

Apps must follow privacy laws to protect your personal information. One important law is the Federal Trade Commission Act (FTC), which helps keep companies accountable if they break privacy rules. If an app misuses your data or shares it in a way it shouldn’t, the federal government may take action.

If you believe your healthcare information has been shared improperly or an app has used your data in the wrong way, you can file a complaint with the Tehama County Health Services Agency Patients’ Rights Office. For more details, visit: Patients’ Rights – TCHSA Internet Website

You can also submit a complaint to OCR or FTC. For more information see below:

Office for Civil Rights (OCR)

To learn more about filing a complaint with OCR under HIPAA, visit: Filing a HIPAA Complaint | HHS.gov

1. Online Complaint form: The most convenient way to submit a complaint to OCR is through their online form. Individuals can file a complaint with OCR using the OCR complaint portal: U.S. Department of Health & Human Services – Office for Civil Rights
2. Mail: You can also submit a complaint by mail to:

Office of Civil Rights – U.S. Department of Health and Human Services

200 Independence Avenue,

S.W. Washington, D.C. 20201

1. Call: You can also contact the OTC at Toll Free Call Center: 1-877-696-6775

Federal Trade Commission (FTC)

1. Online Complaint Form: To submit a complaint online through the FTC’s website, please visit: Federal Trade Commission | Protecting America’s Consumers
2. Mail: You can also mail your complaint to:

Bureau of Consumer Protection Federal Trade Commission

600 Pennsylvania Ave.,

NW Washington, DC 20580

1. Call: You can also contact the FTC Consumer Response Center by calling 1-877-FTC-HELP (1-877-382-4357)

Important Tips on Filing a Complaint:

• Be specific: Provide as much detail as possible about the alleged violation, including dates, names, and any relevant documentation.
• Keep a copy: Make a copy of your complaint for your records.
• Follow Up: If you don’t receive a response within a reasonable time, you may want to follow up with the agency.

THIS DOES NOT CONSTITUTE LEGAL ADVICE ON THE PART OF TCHSA.