Patient Privacy and Security Resources for Members

Click here to access our Developer Portal to set up a Third-Party App
Click here to create a Member Account to gain access to your claims/encounter and clinical data (Patient Access API)

1. Before authorizing a third-party app to retrieve your health care data:

   1. Choose an app that can help you make more informed decisions.
   2. Always look for an easy-to-read privacy policy that clearly explains how the app will use your data.
   3. If the app does not have a privacy policy, it is best to not use that app.
   
   Please consider the following when choosing an app:
   • What health data will app collect? Will app collect non-health data from my devices, such as my location?
   • Will the data be stored in a de-identified or anonymized form?
   • How will the app use my data?
   • Will the app disclose my data to third parties?
   • How can I limit the app’s use and disclosure of my data?
   • What security measures does the app use?
   • What impact could sharing my data with the app have on others, such as my family?
   • How can I access my data and correct inaccuracies?
   • Does the app have a process for collecting and responding to user complaints?
   • If I no longer want to use the app, how do I terminate the app’s access to my health information?
   • What is the app’s policy for deleting data once I terminate access?
   • How does the app inform users of changes that could affect its privacy practices?

2. What are Member’s rights under HIPAA and who must follow HIPAA?

   • The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) enforces the HIPAA Privacy, Security, and Breach Notification Rules, and the Patient Safety Act and Rule.
   • You can find more information about patient rights under HIPAA and who is obligated to follow HIPAA here: Your Rights Under HIPAA | HHS.gov You can also find HIPAA FAQs for Individuals here: HIPAA FAQs for Individuals | HHS.gov

3. Are Third-Party Apps Covered by HIPAA?

   • Most third-party apps will not be covered by HIPAA.
   • Instead, they will fall under the jurisdiction of the FTC and the protections provided by the FTC Act.

4. What should members do if they think their data has been breached or an app has used their data inappropriately?

   • If you believe your data has been breached, please contact Central Health Plan of California’s Compliance Department via email at compliance@centralhealthplan.com or by telephone at (626) 388-2392. You may also mail us at Attn: Compliance Department, Central Health Plan of California, PO Box 14244, Orange, CA 92863.
   • Alternatively, you may also submit a complaint to OCR or FTC:
     

     To learn more about filing a complaint with OCR under HIPAA, visit:
     https://www.hhs.gov/hipaa/filing-a-complaint/index.html

     Individuals can file a complaint with OCR using the OCR complaint portal:
     https://ocrportal.hhs.gov/ocr/smartscreen/main.jsf

     Individuals can file a complaint with the FTC using the FTC complaint assistant:
     https://www.ftccomplaintassistant.gov/#crnt&panel1-1