Blue Cross and Blue Shield of Alabama Patient Access API

Blue Cross and Blue Shield of Alabama (BCBSAL) is required to provide you with access to detailed information about your health history through a “Patient Access Application Programming Interface (API).” The Patient Access API allows you to easily access your protected health information (PHI) such as claims information, including cost, and a defined sub-set of your clinical information through third-party applications (apps) of your choice. Third-party apps can be downloaded on a smart phone, tablet, computer or other similar devices.

*The information we will disclose may include information about treatment for Substance Use Disorders, mental health treatment, HIV status, or other sensitive information.

It is important for you to understand that the third-party app you choose to download will have access to all of your information. The third-party app is not subject to Health Insurance Portability and Accountability Act (HIPAA) rules and other privacy laws, which generally protect your health information. Instead, the app’s privacy policy describes limitations on how the app will use, disclose, and (possibly) sell information about you.

If you decide to access your information through the Patient Access API, you should look for an easy-to-read third-party app privacy policy that clearly explains how the app will use your data. Things you may wish to consider when selecting a third-party app:

• What health data will this app collect? Will this app collect non-health data from my device, such as my location?
• Will my data be stored in a de-identified or anonymized form?
• How will this app use my data?
• Will this app disclose my data to third parties?
  • Will this app sell my data for any reason, such as advertising or research?
  • Will this app share my data for any reason? If so, with whom? For what purpose?
• How can I limit this app’s use and disclosure of my data?
• What security measures does this app use to protect my data?
• What impact could sharing my data with this app have on others, such as my family members?
• How can I access my data and correct inaccuracies in data retrieved by this app?
• Does this app have a process for collecting and responding to user complaints?
• If I no longer want to use this app, or if I no longer want this app to have access to my health information, how do I terminate the app’s access to my data?
  • What is the app’s policy for deleting my data once I terminate access?
  • Do I have to do more than just delete the app from my device?
• How will this app inform me of changes in its privacy practices?

If the app’s privacy policy does not satisfactorily answer these questions, you may wish to reconsider allowing the app to access your health information. Your health information may include very sensitive information. You should be careful by choosing an app with strong privacy and security standards to protect it.

Covered Entities and HIPAA Enforcement

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) enforces the HIPAA Privacy, Security, and Breach Notification Rules, and the Patient Safety Act and Rule. You can find more information about patient rights under HIPAA and who is obligated to follow HIPAA here. Another helpful document is the HIPAA FAQs for Individuals.

What should I do if I think my data has been breached or an app has used my data inappropriately?

You may submit a complaint directly to the Office for Civil Rights (OCR) or the Federal Trade Commission (FTC), as appropriate.

• To file a complaint with OCR under HIPAA, visit https://www.hhs.gov/hipaa/filing-a-complaint/index.html
• Individuals can file a complaint online with OCR using the OCR complaint portal at https://ocrportal.hhs.gov/ocr/smartscreen/main.jsf
• Individuals can file a complaint with the FTC using the FTC complaint assistant at https://reportfraud.ftc.gov

Apps and Privacy Enforcement

Most third-party apps will not be covered by HIPAA. Most third-party apps will instead fall under the jurisdiction of the Federal Trade Commission (FTC) and the protections provided by the FTC Act. The FTC Act, among other things, protects against deceptive acts (e.g., if an app shares personal data without permission, despite having a privacy policy that says it will not do so). The FTC provides information about mobile app privacy and security for consumers here.