As of July 1, 2021, UPMC Health Plan members can access their health care claims and other clinical information through the application (“app”) of their
choice – this is part of a new federal requirement known as Interoperability & Patient Access. Available information includes medical and pharmacy claims,
certain clinical information that UPMC Health Plan has received from your health care providers, and provider directory information. While getting this
information through an app on your computer, tablet, or smartphone will be fast and easy, there are also some important steps you should take to make sure
that your sensitive, confidential health information remains private and protected.
- What is Interoperability?
The term “interoperability” broadly refers to the coordinated exchange of health information. Because the Centers for Medicare & Medicaid Services
issued federal rules under the title “Interoperability and Patient Access,” Interoperability (capitalized) often refers to the specific exchange of
health information that is required under those rules. You should keep in mind that your access to your own information is only one part of the
Interoperability rule – there are also requirements for health care provider directories and future requirements for health plans to exchange information
when you change plans – so you may see the term used in other places with a slightly different meaning.
- What part of the Interoperability rule lets members access their health information through an app?
This part of the rule is known as the Patient Access API. “API” stands for Application Programming Interface, which is a form of computer software
that your health plan must set up to handle incoming requests from apps when you want to access specific information. Another part of the rule,
known as the Provider Directory API, works in the same way but is designed to transmit contact and other information about our UPMC Health Plan’s
network of health care providers.
- Do all health plans have to set up a Patient Access API?
If you get medical coverage through Medicare Advantage, Medicaid, the Children’s Health Insurance Program (CHIP), or a Qualified Health Plan (QHP) on
the Marketplace (known as Pennie in Pennsylvania), your health plan should have a Patient Access API1.
1Standalone Dental plans and QHP issuers in the Federally Facilitated Small Business Health Options
(FF-SHOP) Marketplace may be exempt.
UPMC Health Plan allows all of our members with medical benefits to access their information regardless of the type of plan (this includes UPMC for
Life, UPMC for Kids, UPMC for You, UPMC Community HealthChoices, and UPMC Advantage products for both Employer Groups and Individuals, in addition to
- What information is available to me?
The Patient Access API provides access to medical and pharmacy claims, provider encounter (visit), cost, and specific types of clinical information
that your health care providers have sent or shared with UPMC Health Plan.
Note: While UPMC Health Plan is required to disclose the clinical information that we have received on your behalf, we do not maintain all of your
clinical information or receive medical record information from all the providers that you may see. In addition, even when we do receive clinical
data, we may only maintain records of the data as necessary for specific purposes (e.g., care management, assistance with discharge planning,
pharmacy medication reviews) – this includes information that can change as your health and personal situation changes even if those changes are not
reported to UPMC Health Plan. Because of this, some of the clinical information available through the Patient Access API may appear to be outdated.
This does not mean that the information in your provider medical records is incorrect. Your provider(s) should have the most current clinical data
in their copies of your records based on information they collected at your last visit or treatment.
- Can I control access to my information after I view it with my chosen App?
It depends. Because third-party Apps are not subject to the same privacy standards as health plans and health care providers, they may take a
different approach to storing, using, and disclosing your data. They may or may not offer you specific options to control access to your information
once it is in the App. You should closely review an App’s privacy practices and any information they have about access and disclosure of your
information – for more tips on choosing an App to trust, see the “Selecting an App” section of this
- What should I consider when choosing an App?
While UPMC Health Plan does not endorse any specific third-party App, there are certain things you should look for and think about when choosing any
App to access your protected health information. Your best bet is to start with an App from a trustworthy source that you have confidence in.
Before downloading or sharing your information with a new App, ask the following questions:
If an App doesn’t clearly explain how it will use your information, you should consider using another
- What health data will this App collect? Will this App also collect non-health data from my device, such as my location?
Consider whether you want an App that has your health information to also know other information about you.
While the App might have a reason for requesting other information, giving more of your information to be stored in one place could make
it easier for someone who accesses that information to identify you or steal your identity.
- Will my data be stored in a de-identified or anonymized form?
De-identified data removes details like phone numbers, medical record file numbers, and dates so that the stored
information cannot be used to identify you.
- Will this App disclose my data to third parties?
- Will this App sell my data for any reason, such as advertising or research?
- Will this App share my data for any reason? If so, with whom? For what purpose?
- Does this App allow me to limit its use and disclosure of my data? How?
- What security measures does this app use to protect my data?
Look for Apps that explain their use of encryption (scrambled data) to prevent unauthorized users from accessing
- What impact could sharing my data with this app have on others, such as my family members?
- How can I access my data and correct inaccuracies in data retrieved by this app?
- Does this app have a process for collecting and responding to user complaints?
- If I no longer want to use this app, or if I no longer want this app to have access to my health information, how do I terminate the app’s
access to my data?
- What is the app’s policy for deleting my data once I terminate access? Do I have to do more than just delete the app from my
- How does this app inform users of changes that could affect its privacy practices?
should be careful to choose Apps with strong privacy and security standards to keep it protected.
Above all else, trust your instincts! If you get an unsolicited e-mail advertising an App, see a message from someone you don’t know asking you to
try a new App, or see anything that seems “off” about an App, don’t use it!
- What is different about a third-party App?
A third-party App is one provided by someone other than your health plan. In some cases, third-party Apps might be offered by brands that are
familiar to you or they may be from a software developer you have never heard of before. While you are entitled to use the App of your choice,
including a third-party App, you should carefully consider how any App will store and protect your sensitive health data. Important rights and
protections under health care privacy laws like HIPAA will normally apply to an App offered by your health plan or health care provider, but
generally will not apply to most third-party Apps.
- Does UPMC Health Plan have an App I can use to access my health information?
The free UPMC Health Plan mobile app puts your health information in one place. And you can access that information instantly — anywhere, anytime.
With the UPMC Health Plan mobile app you can:
- Access digital member ID cards for yourself and your family.
- Contact Member Services through secure messaging and live chat.
- View your claims information.
- Search for in-network providers.
- Can UPMC Health Plan help me if I have problems with a third-party App?
Unfortunately, UPMC Health Plan does not have relationships with most third-party App developers and cannot provide support for problems with a
- Does UPMC Health Plan screen third-party Apps or require App developers to attest to specific security practices?
No, because UPMC Health Plan is not permitted to limit API access in this way. The Interoperability and Patient Access rule does not allow UPMC
Health Plan to impose unique screening criteria or standards on Apps that members have authorized to access their health information. It is true
that all Apps connecting to UPMC Health Plan’s APIs, including the Patient Access API, must meet minimum technical standards for information security
with respect to the initial connection and access. We also encourage App developers to adhere to the CARIN Code of Conduct and Trust Framework,
which were developed by health IT experts and consumer representatives to establish universal guidelines for safely and reliably sharing and
protecting electronic health information. However, UPMC Health Plan is not permitted to require that Apps or App developers engage in specific
privacy or security practices after they have accessed your information, and we cannot limit the ways in which a third-party App stores or uses your
data after it has been transmitted through the API. Most third-party Apps are also not subject to the HIPAA privacy protections that otherwise
apply to the protected health information held by your health plan or health care providers. To learn more about choosing an App to safely access
and protect your health information, see the “What should I consider when choosing an App?” Q&A in this
- How does UPMC Health Plan protect my health information?
Like almost all plans and providers, UPMC Health Plan is required to protect your health information under a federal law known as the Health Insurance
Portability and Accountability Act (HIPAA), as well as under various state laws that include either comparable or enhanced protection. If HIPAA
applies to a health plan, provider, or other entity, they are often known as “HIPAA covered” or a “HIPAA covered entity.” HIPAA requires covered
entities like UPMC Health Plan to protect your health information unless you ask that it be disclosed, except in certain cases where disclosing some
part of your health information (usually to another covered entity like a health care provider or government agency that provides your benefits) is
necessary to ensure that you receive quality treatment, to pay for care you receive, or for health plan operations that allow us to manage your plan
benefits. More details about UPMC Health Plan’s protection and permitted use of your health information is available in our
- Where can I learn more about my rights under HIPAA and who HIPAA applies to?
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) enforces
the HIPAA Privacy, Security, and Breach Notification Rules, and the Patient Safety Act and Rule.
You can find more information about patient rights under HIPAA and who is obligated to follow
- Do all Apps have to protect my health information?
Most third-party Apps are not covered by HIPAA. Most third-party Apps will instead fall under the oversight of the Federal Trade Commission (FTC).
While the FTC Act includes protections against, among other things, “deceptive acts” (e.g., a third-party App sharing your information without
permission after saying it won’t do so), it does not automatically include the types of comprehensive rights and privacy protections for health
information that are required for HIPAA covered entities.
The FTC provides information about mobile app privacy and security for consumers here:
- Device Controls
You should consider limiting your use of Apps for the Patient Access API to a single, private, personal device. You should have a strong, unique
password for the App and should set up Multi-Factor Authentication if possible.
- How is my data secured?
The UPMC APIs are secured using a standards based
FHIR SMART Authentication Flow. Third party applications request a
registration key with UPMC, and with that key, they can allow members to sync their data from our APIs that are behind the UPMC Multi-factory
Authentication login. Users have control of their data by allowing access by using their UPMC Health Plan credentials. These are the same
credentials authenticated with and used by The Health Plan Mobile application.
- What can I do if I think my data has been used inappropriately?
If you believe that your privacy rights have been violated, you can file a complaint. There are different options for filing your complaint depending
upon who you believe violated your rights.
If your complaint involves a third-party App, you may submit a complaint to the FTC using the FTC Complaint Assistant:
If you have a concern about UPMC Health Plan and your privacy rights, you can contact our Member Services team toll-free at 1-877-574-5517
(TTY: 1-800-361-2629). If we are unable to address your privacy concerns as a current member, you may ask to file a complaint. More information
about our complaint process and your privacy rights can be found in the Notice of Privacy Practices that applies to your type of UPMC Health Plan
coverage. Please visit the “HIPAA Privacy Forms” section of our website
(https://www.upmchealthplan.com/privacy.aspx#hipaa) for the
most current version of this information.
If you believe that your privacy rights under HIPAA have been violated, you may file a complaint with the HHS Office of Civil Rights
learn more about filing a complaint with OCR under HIPAA, visit:
Disclaimer: The educational information presented here is intended solely to inform consumers about the availability and use of the
Patient Access API and other related APIs. This information is not intended to grant any rights or impose any obligations. The recommendations and
commentary presented are designed as a helpful summary and are not a replacement for comprehensive individual review and analysis of the risks and questions
presented when accessing protected health information. The descriptions of privacy rights, laws, and applicable standards are not comprehensive and are not
a substitute for professional legal advice.