Getting health information through mobile apps

Currently, Florida Blue Medicare Advantage and Florida Blue members who are enrolled in a Qualified Health Plans (QHP) on the Federally-Facilitated Exchange (FFE) can request an electronic copy of their protected health information through an app of their choice. Presently Florida Blue does not offer a proprietary third-party application for its members. 

Apps must be registered with Florida Blue to receive member healthcare data transfers. Members may wish to validate app status prior to initiating a new subscription, if the app is not listed with Florida Blue as available for data transfers.

At the moment, Florida Blue has extended this new App access feature to its current members who are enrolled in either a Qualified Health Plan (QHP) sold on the Federally-Facilitated Exchange (FFE) or a Medicare Advantage (MA) Plan.   

You can request a copy of your PHI in accordance with the Florida Blue Notice of Privacy Practices. If you use an app to request PHI, Florida Blue may electronically provide the following information:

• Any claims, office visit (if your plan is an HMO plan) and medical information in our records going back to January 1, 2016. What we provide to the app depends on what information the app requests and what information we have.
• All of your medical information in our records going back to January 1, 2016, may be released, depending on what the app requests. This may include sensitive medical information, such as treatment or diagnosis information about mental health, substance use disorders, sexually transmitted diseases and more. At this time, Florida Blue cannot withhold sensitive information when responding to a PHI access request through an app, even at your request.
• The PHI Florida Blue provides is limited to what is in our records. For a more complete picture of your health records, you may also need to request PHI from your doctors and any previous insurers.

Florida Blue is required to disclose all claim, office visit and clinical information (including sensitive information) that an app requests going back to January 1, 2016. If there is sensitive information you do not want an app to receive, you should not request your PHI through that app.

An app will need to register with Florida Blue before you can use it to request access to your PHI. Under certain circumstances, Florida Blue may deny an app’s registration. If you want to request PHI through an app, make sure the app you choose is registered with Florida Blue before requesting your health information. If the app has not registered with Florida Blue, contact the app’s developer so they can begin the registration process. Florida Blue is not responsible for issues that may occur with an app that delay or prevent the transmission of information. As apps register with Florida Blue and become available for PHI access, we will list them here

It’s important to take an active role in protecting your PHI. Look for an easy-to-read privacy policy that clearly explains how the app will use your PHI. If an app does not have a privacy policy, or if you do not understand it, you may want to reconsider using the app. Here are some issues to look for when reviewing an App’s privacy policy:

• What health data will this app collect? Will this app collect non-health data from my device, such as my location?
• Will my data be stored in a de-identified or anonymized form?
• How will this app use my data?
• Will this app disclose my data to third parties?
  • Will this app sell my data for any reason, such as advertising or research?
  • Will this app share my data for any reason? If so, with whom? For what purpose?
• How can I limit this app’s use and disclosure of my data?
• What security measures does this app use to protect my data?
• What impact could sharing my data with this app have on others, such as my family members?
• How can I access my data and correct inaccuracies in data retrieved by this app?
• Does this app have a process for collecting and responding to user complaints?
• If I no longer want to use this app, or if I no longer want this app to have access to my health information, how do I terminate the app’s access to my data?
  • What is the app’s policy for deleting my data once I terminate access? Do I have to do more than just delete the app from my device?
• How does this app inform users of changes that could affect its privacy practices?

If the app’s privacy policy does not clearly answer these questions, patients should reconsider using the app to access their health information. Health information is very sensitive information, and patients should be careful to choose apps with strong privacy and security standards to protect it.

Some patients, particularly patients who are covered by Qualified Health Plans (QHPs) on the Federally-facilitated Exchanges (FFEs), may be part of an enrollment group where they share the same health plan as multiple members of their tax household. Often, the primary policy holder and other members can access information for all members of an enrollment group unless a specific request is made to restrict access to member data. Patients should be informed about how their data will be accessed and used if they are part of an enrollment group based on the enrollment group policies of their specific health plan in their specific state. Patients who share a tax household but who do not want to share an enrollment group have the option of enrolling individual household members into separate enrollment groups, even while applying for Exchange coverage and financial assistance on the same application; however, this may result in higher premiums for the household and some members, (i.e. dependent minors, may not be able to enroll in all QHPs in a service area if enrolling in their own enrollment group) and in higher total out-of-pocket expenses if each member has to meet a separate annual limitation on cost sharing (i.e., Maximum Out-of-Pocket (MOOP).

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) enforces the HIPAA Privacy, Security, and Breach Notification Rules, and the Patient Safety Act and Rule. You can find more information about your rights under HIPAA and who is obligated to follow HIPAA here: Guidance Materials for Consumers.

HHS also has published HIPAA FAQs for Individuals, which contain information on specific topics that may interest you: HIPAA FAQs for Individuals. Here’s another helpful resource to understand your rights under HIPAA: How to get your health record.

If you want more information on how Florida Blue complies with HIPAA for our members and what Florida Blue does to protect your information, view our HIPAA Notice of Privacy Practices.

Most apps are not specifically covered by HIPAA and are not required to be covered by HIPAA. HIPAA does not cover most third-party apps. HIPAA governs health insurance plans (such as Florida Blue), health care providers (such as doctor’s offices and hospitals), and health care clearinghouses (collectively known as “covered entities”) or entities performing services on behalf of Covered Entities that involve PHI. Most third-party apps are not created by, or affiliated with covered entities, so these app developers are not likely bound by HIPAA privacy and security protections. These apps may be regulated by the Federal Trade Commission (FTC) and the protections provided by the FTC Act. The FTC Act, among other things, protects against deceptive acts (for example, if an app shares personal data without permission, despite having a privacy policy that says it will not do so). The FTC also enforces the promises that are made in an app’s privacy policies, which is why it’s important for you to review an app’s privacy policies before using it to request PHI from Florida Blue.

The FTC provides information about mobile app privacy and security for consumers here: Understanding Mobile Apps

If you’re concerned an app has violated your privacy rights or believe that your information has been breached in an app, you should consider filing a complaint with the app using the contact information it provides.

• You can also file a complaint with the FTC using the FTC Complaint Assistant. Florida Blue has no control over the app you choose. While you may contact us if an app has misused your data or if there was a breach, we may not be able to help you.

• If you think we violated your privacy rights, you may file a complaint with us in accordance with our Notice of Privacy Practices. Members also may file a complaint with the U.S. Department of Health and Human Services (HHS). We support your right to protect the privacy of your PHI. We will not retaliate in any way if you choose to file a complaint with us or with the U.S. Department of Health and Human Services.
  • Contact: Business Ethics, Integrity & Compliance
    Florida Blue PO Box 44283 Jacksonville
    Jacksonville FL 32203-4283
    Phone: 1-888-574-2583
     

• To learn more about filing a complaint with the Office of Civil Rights (the department of HHS that enforces HIPAA), visit Filing a Complaint.

• Individuals can file a complaint with OCR using the OCR complaint portal.

Ready to stop using an app? If you want Florida Blue to stop allowing an app to access your health information, call Member Services at one of the below numbers. Calling Member Services is currently the only way you can stop an app from collecting your health data after you have given them access. However, be advised that an app may continue to store your member data even after you stop sharing. 

• Group, Individual and Family (QHP) members: Call 1-800-FLA-BLUE (352-2583). TTY users, please call 1-800-955-8770. Member Services is open from 8 a.m. to 6 p.m., Monday through Friday.
• Medicare Advantage members: Call 1-800-926-6565. TTY users, please call 1-800-955-8770. Medicare Member Services is open from 8 a.m. to 8 p.m. local time, seven days a week from October 1 through March 31, except for Thanksgiving and Christmas. From April 1 through September 30, we are open Monday through Friday, 8 a.m. to 8 p.m. local time.

Any history held by Florida Blue for a previous Medicare Advantage or Florida Blue Qualified Health Plan member since January 1, 2016 is part of our database. Your Florida Blue PHI is available through a request to the app to which you subscribe. Contact your app provider and request to connect, or select "Florida Blue" from the app's available health insurer connections. 

Members have the right to obtain personal health information dating to January 1, 2016 from any health insurers regulated by the Centers for Medicare and Medicaid Services (CMS). This includes health insurers offering Medicare, Medicare Advantage, Medicaid, Commercial Medicaid, Children's Health Insurance Plans and Marketplace plans sold on the Federally-facilitated Exchanges established under the Affordable Care Act.