Help your members ensure the privacy of their health information.

Provide Education

Payers are required to develop educational resources that help members take an active role in protecting their health information. Use the content provided below as a starting point and explore the CARIN App Registration Guide for more in depth information.

Required Information

All educational resources need to be communicated in non-technical, simple and easy-to-understand language. Expand the sections below to review the content you will need to provide your members.

Finding a trustworthy app
+
Finding a trustworthy app
-

These certification and health standard organizations have already done the hard work of assessing third-party health apps that have agreed to comply with their high standards of data security. To find an app your can trust, browse the list of trusted apps on the CARIN website or look for apps with HITRUST certifications.

How to protect your data
+
How to protect your data
-

Once we securely transmit data to a 3rd party application, it’s the app's responsibility to keep it safe.

Before directing myPayer to share your health information with an app, you should make sure you understand how an application plans to use your data, share it with others and keep it safe.

An application’s terms of use and privacy policy are supposed to explain their data practices. Only choose apps that provide easy-to-read policies that clearly explain how they intend to use your data. If a privacy policy doesn’t exist or is difficult to understand, consider using a different application.

Use the checklist below when selecting an app. If you are unable to answer any of the questions after reading an app’s privacy policies or terms of use, you should reconsider sharing your private health data.

Your health data privacy and security checklist
+
Your health data privacy and security checklist
-

Below is a list of factors to consider when selecting an application suggested by the Centers for Medicare & Medicaid Services (CMS) that you should keep in mind when sharing your personal health data with a 3rd party application. Read more on www.cms.gov

  • What health data will this app collect?
  • Will this app collect non-health data from my device, such as my location?
  • Will my data be stored in a de-identified or anonymized form?
  • How will this app use my data?
  • Will this app disclose my data to third parties?
  • Will this app sell my data for any reason, such as advertising or research?
  • Will this app share my data for any reason? If so, with whom? For what purpose?
  • How can I limit this app’s use and disclosure of my data?
  • What security measures does this app use to protect my data?
  • What impact could sharing my data with this app have on others, such as my family members?
  • How can I access my data and correct inaccuracies in data retrieved by this app?
  • Does this app have a process for collecting and responding to user complaints?
  • If I no longer want to use this app, or if I no longer want this app to have access to my health information, how do I terminate the app’s access to my data?
  • What is the app’s policy for deleting my data once I terminate access? Do I have to do more than just delete the app from my device
  • How does this app inform users of changes that could affect its privacy practices?

Being aware of these questions and their answers (typically found in the app’s privacy policy and terms of use) can help empower you to understand how your data will be used, stored, and shared and can help you keep your private data safe and secure.

What is the Health Insurance Portability and Accountability Act (HIPAA)?
+
What is the Health Insurance Portability and Accountability Act (HIPAA)?
-

The Health Insurance Portability and Accountability Act (HIPAA) is a law aimed at protecting individuals’ medical records and other personal health information. It establishes appropriate safeguards that health care providers and others must achieve to protect the privacy of health information.

The following types of organizations must follow HIPAA regulations:

  • Health Plans, including health insurance companies, HMOs, company health plans, and certain government programs that pay for health care, such as Medicare and Medicaid.
  • Most Health Care Providers—those that conduct certain business electronically, such as electronically billing your health insurance—including most doctors, clinics, hospitals, psychologists, chiropractors, nursing homes, pharmacies, and dentists.
  • Health Care Clearinghouses—entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.
  • The business associates of covered entities (e.g. contractors or subcontractors who require access to personal health information) must also follow parts of the HIPAA regulations

Many organizations that have health information about you do not have to follow HIPAA. Examples of these organizations include life insurers, employers, workers compensation carriers, many schools and school districts, many state agencies like child protective service agencies, most law enforcement agencies and many municipal offices

Filing a HIPAA complaint with OCR
+
Filing a HIPAA complaint with OCR
-

If you have concerns that an application is violating your HIPAA privacy rights, you can submit a complaint to The U.S. Department of Health & Human Services (HHS) Office for Civil Rights (OCR).

Centralized Case Management Operations
U.S. Department of Health and Human Services
200 Independence Avenue, S.W.
Room 509F HHH Bldg.
Washington, D.C. 20201
What is the Federal Trade Commission (FTC)?
+
What is the Federal Trade Commission (FTC)?
-

Most 3rd party apps will not be covered by HIPAA. Instead, they will fall under the jurisdiction of the FTC and the protections provided by the FTC Act

The FTC Act protects consumers against fraud, deception, and unfair business practices. An example of this might be a 3rd party application sharing your personal information even though their privacy policies state that they will always require your consent.

Filing a complaint with the FTC
+
Filing a complaint with the FTC
-

If you have concerns that this application is engaging in an unfair or deceptive business practice (for example, because its data practices conflict with its privacy policy) you can submit a complaint to the Federal Trade Commission (FTC).

Download all of this content from our GitLab page.

Learning Locations

Educational content should be easily accessible to your members. CARIN recommends providing educational portals in the following locations:

Online Learning Center

Give your website a designated page for teaching your members about sharing their data and how to protect themselves. This way they can always find this important information when they are ready to learn.


Learn More

Connection Experience

Providing educational material within the connection flow can help members learn about data sharing and security just as they are about to connect to a 3rd party app. Having this information at their fingertips can empower informed consent.


Learn More

Design and UX work by Arcweb Technologies