In compliance with the Interoperability and Patient Access Rule (CMS-9115-F), Alliant Health Plans is providing our members with a secure, standards-based Patient Access Application Programming Interface (API) that will allow you to store and access all of your personal health information (PHI) in one place. Complete access to your PHI will allow you to personally manage your health and know what health care resources are available to you, but extreme caution should be used to ensure that you are actively protecting your personal health information.

Starting in 2021, this new federal rule will make it possible for you to access and share your health information with health care providers via an app on your phone or computer concerning:

  • Claims (paid and denied)
  • Past test results
  • Your cost of care
  • Healthcare providers
  • Provider appointments
  • Health status
  • Specific parts of your clinical information
  • Pharmacy directory data (for Medicare Advantage Prescription Drug – MAPD – plans)

*CAUTION: Before choosing a third-party application programming interface or app, please consider the following information on how to choose a credible app provider and to better understand how storing your PHI in this way could impact your rights according to HIPAA – as well as the rights of any dependents listed on your insurance plan.

Here are questions you’ll want to ask before releasing your personal information:

Please contact Alliant Client Service at (866) 403-2785 to request access to your PHI.

The Health Insurance Portability and Accountability Act of 1996, or HIPAA, covers both organizations and individuals. Those who are required to comply with HIPAA are called HIPAA covered entities.

HIPAA covered entities include health plans, clearinghouses, and certain health care providers as follows:

Health Plans

  • Health insurance companies
  • HMOs, or health maintenance organizations
  • Employer-sponsored health plans
  • Government programs that pay for health care, like Medicare, Medicaid, and military and veterans’ health programs

Clearinghouses

Clearinghouses include organizations that process nonstandard health information to conform to standards for data content or format, or vice versa, on behalf of other organizations.

Providers

Providers who submit HIPAA transactions, like claims, electronically are covered. Providers include, but are not limited to:

  • Doctors
  • Clinics
  • Psychologists
  • Dentists
  • Chiropractors
  • Nursing homes
  • Pharmacies

Business associates

If a covered entity engages a business associate to help carry out its health care activities and functions, the covered entity must have a written business associate contract or other arrangement with the business associate that:

  • Establishes specifically what the business associate has been engaged to do
  • Requires the business associate to comply with HIPAA

Examples of business associates include:

  • Third-party administrator that assists a health plan with claims processing
  • Consultant that performs utilization reviews for a hospital
  • Health care clearinghouse that translates a claim from a nonstandard format into a standard transaction on behalf of a health care provider, and forwards the processed transaction to a payer
  • Independent medical transcriptionist that provides transcription services to a physician

For more information, please visit: Are You a Covered Entity? | CMS

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) and Federal Trade Commission (FTC) have oversight authority on interoperability. The OCR enforces the HIPAA Privacy, Security, and Breach Notification rules, and the Patient Safety Act and Rule. The FTC enforces both competition and consumer protection laws and evaluates claims of privacy and data security.

Most apps will not be considered covered entities under HIPAA and will fall under the jurisdiction of the FTC and the protections provided by the FTC Act.
If you believe that a HIPAA-covered entity or its business associate violated your (or someone else’s) health information privacy rights or committed another violation of the Privacy, Security, or Breach Notification Rules, you may file a complaint with the OCR. OCR can investigate complaints against covered entities and their business associates.

Learn more about filing a complaint with OCR under HIPAA.
Individuals can file a complaint with OCR using the OCR complaint portal
Individuals can file a complaint with the FTC using the FTC complaint assistant

The app will collect your health data including, but not limited to, your claims, medications, diagnoses, procedures, and doctor visits. When you enroll in the app, you are giving your permission for the app to collect this information.

Apps do have the ability to collect non-health data such as location. Some apps let you have the option to provide that information. Alliant recommends that you contact your app provider about this.

Alliant recommends that you request a Notice of Privacy Practices from the app provider to understand how the app will store your data.

Although the purpose of the app is for you to be able to see your data in one place, Alliant recommends that you request a Notice of Privacy Practices to understand how the app will use your data.

Alliant recommends that you request a Notice of Privacy Practices from the app provider to understand if the app will share your data with third parties for advertising and research.

Alliant recommends that you request a Notice of Privacy Practices from the app provider to understand if the app will share your data with third parties.

Alliant recommends that you request a Notice of Privacy Practices from the app provider to understand how you can limit the use and release of your data.

Alliant recommends that you request a Notice of Privacy Practices and additional information on security practices from the app provider to understand how they handle a security incident.

Requesting your health data via an app could potentially include the health data of family members who are associated with your health account. If there is a breach of privacy, their personal health information could also be impacted.

To correct mistakes in your health data, you will need to contact your provider or health insurance company. The health app only makes data available from healthcare sources. The app does not create this data. If the app is showing incorrect information that was not sent to the app, then the app must correct this problem.

App providers may respond to user complaints in different ways. Alliant recommends that you ask your app provider about this.

Alliant recommends that you request a Notice of Privacy Practices from the app provider to understand what happens to your data after you stop using the app.

Alliant recommends that you request a Notice of Privacy Practices from the app provider to understand what happens to your data after you stop using the app.

App providers may inform users of policy or app changes in different ways. Alliant recommends that you ask your app provider about this.

At Alliant Health Plans, your privacy and the security of your PHI is a top concern. The new rule allows you to look up your information using an app from a third-party application developer – a company that may not have the same security measures in place as Alliant Health Plans.  For this reason, we want to you to be aware of the security risks that may be associated with releasing your PHI to a third-party app. Please feel free to contact Alliant Customer service at  (866) 403-2785 if you have any questions or concerns about your information and sharing it with a third-party application developer.

Please contact Alliant Customer service at (866) 403-2785 to access your PHI and learn about your next steps.

Alliant recommends that you ask the app provider for their Notice of Privacy and Security Practices. Most apps will not be covered by HIPAA. Most apps fall under the jurisdiction of the Federal Trade Commission (FTC) and the protections provided by the FTC Act. The FTC Act, among other things, protects against deceptive acts (e.g., if an app shares personal data without permission, despite having a privacy policy that says it will not do so). The FTC provides information about mobile app privacy and security for consumers on the FTC Consumer Information website. For apps that are subject to HIPAA, you can find more information about patient rights under HIPAA and who is obligated to follow HIPAA. You can also see the HIPAA FAQs for Individuals.

No, you do not have to use an app to access your health care information. If you need to access your health care information, you can contact your doctor or provider or your health plan.

Alliant recommends that you request a Notice of Privacy Practices from the app provider to understand your rights.

Alliant recommends that you request a Notice of Privacy Practices from the app provider to understand how they respond to a privacy and security incident. You have the right to file a complaint with enforcement agencies including the Office for Civil Rights (OCR) and the Federal Trade Commission (FTC). Most apps will not be considered covered entities under HIPAA. Most apps will instead fall under the jurisdiction of the Federal Trade Commission (FTC) and the protections provided by the FTC Act. The FTC Act, among other things, protects against deceptive acts (e.g., if an app shares personal data without permission, despite having a privacy policy that says it will not do so). Learn more about filing a complaint with OCR under HIPAA. Individuals can file a complaint with OCR using the OCR complaint portal.  Individuals can file a complaint with the FTC using the FTC complaint assistant.

Patient Demographics

  • first name
  • last name
  • previous name
  • middle name
  • suffix
  • birth sex
  • date of birth
  • race
  • ethnicity
  • preferred language

New Demographics

  • current address
  • previous address
  • phone number
  • phone number type
  • email address

Allergies & Intolerances

  • substances (medications)
  • substances (drug class)
  • reaction

Clinical Notes

  • consultation note
  • discharge summary note
  • history & physical
  • imaging narrative
  • laboratory report narrative
  • pathology report narrative
  • procedure note
  • progress note

Vital Signs ****

  • body height
  • body weight
  • BMI percentile (2-20 years)
  • blood pressure
  • heart rate
  • respiratory rate
  • body temperature

Health Concerns
Immunizations
Procedures
Medications|
Laboratory Tests & Results
Assessment &Treatment Plan
Care Team Members

This new rule allows you to have your medical information in one place, which could help you and your doctors or providers understand your health so that you can make decisions that would improve your health outcomes. This may reduce health care (2 words) costs, and this information could follow you to any provider or health plan in the future. The downfall is that this may increase your chances of a significant privacy breach if you decide to share your information with a third-party app provider. Please make your choice to share your personal information carefully and always request, read and understand your app provider’s Notice of Privacy Practices before transferring your PHI.

Any health information maintained by your Health Plan with a date of service January 1, 2016 or later will be made available.

You will have access to your health information, no matter what health plan or provider you go to.

No, you are not required to use an app affiliated with Alliant Health Plans.

There may be some apps that don’t follow all the privacy provisions. Alliant recommends that you request a Notice of Privacy Practices from the app. If the app does not provide you with a Notice of Privacy Practices, Alliant recommends that you choose another app.

Once you have made the request for Alliant to share your Alliant Health Plan information with a third-party app, your PHI will be made available shortly.

Alliant Plans and Change Healthcare are working together to offer our members an interoperability solution based on the FHIR/HL7 standards. Applications from outside sources must first register with Change Healthcare Solution in order to access their APIs. The given data will subsequently be verified by Change Healthcare. The company works to make sure the program and the company that created it are offering a quality and secure application and that they can fulfill all contractual obligations. Following approval of the application, Client Ids and, if necessary, Client Secrets (For Confidential Applications) will be issued, and appropriate access to public keys will be established to guarantee the confidentiality of communications and the signatures of access requests (Public Applications).

Third-party apps that want to be included in the Change Healthcare App Registry must first register here. If you like to use already approved application you can go here.

These are the required technical specifications and attributes necessary to successfully register an application (i.e., API syntax, datatypes and parameters, exceptions and exception handling, configurations etc.):

You can download a spreadsheet of API URL endpoints here. For more information on API endpoints may be found here,  

Please contact Alliant Client Services at (866) 403-2785 to request access to your PHI.