Sharing And Safeguarding Your Personal Information
Sharing Your Health Data
Interoperability is the ability for electronic systems to be able to communicate and exchange data in the same way. Through implementation of the requirements in the Interoperability and Patient Access final rule (CMS-0115-F), GHC-SCW is creating more ways to access your health data. Interoperability will make it easier for app developers to create connections to GHC-SCW and your health data.
The change in access and control of your health data means that you will now have more responsibility for your health data, and keeping it safe. You will have the ability to readily authorize third-party applications (apps) to access to your health data. You should educate yourself on the risks and benefits of authorizing access to your health data, and protecting your health data should be your top priority.
GHC-SCW believes it is important to help you understand your role and responsibility in protecting your health data. The following information is intended to provide you with basic information regarding the Patient Access API, and what you should know and consider before authorizing access to your health data. If you have concerns about the security of your health data, GHC-SCW strongly urges you to learn more before authorizing access.
Patient Access API
As a Member, you always have the ability to use GHCMyChartSM, which is GHC-SCW's portal to access your health data. Visit https://ghcscw.com/ghcmychart#/ to learn more about GHCMyChartSM and sign-up for an account.
In addition to GHCMyChartSM, GHC-SCW now provides a “Patient Access API." The Patient Access API allows third-party apps to access your data when you give permission. ONLY with your permission can a third-party app access your data through the “Patient Access API".
If you want to use a third-party app to access your data, the app will use the Patient Access API. When using the Patient Access API, you will need to authenticate your identity by using your GHCMyChartSM username and password. Requiring this authentication with a username and password helps protect your health data and make sure only apps you authorize can access your health data. You can terminate access to any authorized app, at any time, in GHCMyChartSM.
You can decide which third-party apps, if any, you would like to use by downloading the app on your smartphone, computer, tablet, etc. and then you can check if the app is connected to GHC-SCW. The information that can be accessed by third-party apps includes the following information for as long as we maintain it in our records:
- Claims (both medical and pharmacy) and encounter data concerning your interactions with health care providers; and
- Clinical data that we collect in the process of providing case management, care coordination, or other services to you.
IMPORTANT NOTE: The information that can be accessed may include information about treatment for Substance Use Disorders, mental health treatment, HIV status, or other sensitive information. If you do not want that information to be access, you should not permit the app to access your health data.
What Should I Know Before Authorizing a Third-Party App to Access My Health Data?
While GHC-SCW generally cannot block apps from connecting and accessing your health data if you grant them permission, to connect with GHC-SCW's system app developers must provide certain information regarding how they will use your health data and complete a data use questionnaire. Prior to authorizing the app to access your health data, you will be presented with information regarding the app's use of your health data. In addition, based on the app developer's responses, you may receive a warning message that the app developer does not following GHC-SCW's best practice standards. You will have the opportunity to cancel the request or proceed with allowing the app to access your health data. If you see a warning message, GHC-SCW strongly encourages you to reconsider use of the app.
In addition to checking whether an app follow's GHC-SCW's best standard practices, you can visit My Health Application for a list of apps that have attested to the CARIN Code of Conduct ensuring they meet the strictest privacy and security guidelines.
What Should I Consider When Selecting an App?
- Will this App SELL my data for any reason?
- Will this App DISCLOSE my data to third parties for purposes such as research or advertising?
- How will this App USE my data? For what purposes?
- How long will this App have AUTOMATIC ACCESS to my data before I need to re-authorize access?
- Will the App allow me to limit how it uses, discloses, or sells my data?
- If I no longer want to use this App, or if I no longer want this App to have access to my health information, can I terminate the App's access to my data? If so, how difficult will it be to terminate access?
- What is the App's policy for DELETING my data once I terminate access? Do I have to do more than just delete the App from my device?
- Is the App FORCING me to share my data or threatening me or my computer with harm if I do not authorize access?
- How will this App inform me of changes in its privacy practices?
- Will the App collect non-health data from my device, such as my location?
- What security measures does this App use to protect my data?
- What impact could sharing my data with this App have on others, such as my family members?
- Will the App permit me to access my data and correct inaccuracies? (Note that correcting inaccuracies in data collected by the App will not affect inaccuracies in the source of the data.)
- Does the App have a process for collecting and responding to user complaints?
Covered Entities and HIPAA Enforcement
The U.S. Department of Health and Human Services' Office for Civil Rights (OCR) enforces the HIPAA Privacy, Security, and Breach Notification Rules. GHC-SCW is subject to HIPAA as are most health care providers, such as hospitals, doctors, clinics, and dentists. You can find more information about your rights under HIPAA and who is obligated to comply with HIPAA here: https://www.hhs.gov/hipaa/for-individuals/index.html. To learn more about filing a complaint with OCR related to HIPAA requirements, visit: https://www.hhs.gov/hipaa/filing-a-complaint/index.html.
You may also file a complaint with GHC-SCW by contacting the Privacy Officer at (608) 662-4899 or by e-mail at firstname.lastname@example.org.
Remember, once you authorize access for an app to access your information, GHC-SCW can no longer control how that app protects and/or uses your health data.
Privacy Enforcement for Apps
Most third-party apps WILL NOT be subject to HIPAA. An App that publishes a privacy notice is required to comply with the terms of its notice, but generally is not subject to other privacy laws. The Federal Trade Commission Act protects against deceptive acts (such as an App that discloses personal data in violation of its privacy notice). An App that violates the terms of its privacy notice is subject to the jurisdiction of the Federal Trade Commission (FTC). The FTC provides information about mobile App privacy and security for consumers here: https://www.consumer.ftc.gov/articles/0018-understanding-mobile-apps. If you believe an App inappropriately used, disclosed, or sold your information, you should contact the FTC. You may file a complaint with the FTC using the FTC complaint assistant: https://www.ftccomplaintassistant.gov/#crnt&panel1-1
 GHC-SCW partners with Navitus Health Solutions to administer most pharmacy benefits. When you allow an app to access your claims information, the information regarding pharmacy claims is provided by Navitus Health Solutions directly to the app you authorize. Pharmacy claims data is not available via the Patient Access API if GHC-SCW does not administer your pharmacy benefit.
 Except for confirming that you authorized an app to access your information, it is not possible for GHC-SCW or Navitus Health Solutions to provide a detailed report of the information actually accessed by the app.
 See GHC-SCW's Notice of Privacy Practices, which describes how health data GHC-SCW maintains can be used, disclosed, and how you can get access from GHC-SCW to your health data.
 The CARIN alliance is a bipartisan, multi-sector collaborative working to advance consumer-directed exchange of health information. Learn more about third-party application privacy standards on the CARIN Alliance website. The CARIN Code of Conduct is a set of industry-leading best practices these applications have voluntarily adopted to protect and secure your health information.
Today, as we continue to communicate digitally, it’s more important than ever to take steps to protect and secure your personal information. Listed below are resources outlining efforts you can take to protect your health information, financial information and personal.
FTC: How to Keep Your Information Secure
Wisconsin Consumer Protection Hotline
USA.gov Consumer Protection
Patient Privacy Rights
11 Simple Ways to Protect Your Privacy
USA.gov Protect Your Privacy Online
FCC: Protecting Your Privacy
Privacy Rights Clearinghouse
FTC: Children's Online Privacy
Consumer Reports: Protect Your Privacy on Facebook
ABC News: Protect Your Privacy Before Facebook Gets Hacked
Contact Us With Questions or Concerns
1265 John Q. Hammons Drive
Madison, WI 53717