CMS Rule

I still have concerns about security breaches. How do I know I’m not at risk for HIPAA violations?

CMS made the following provisions in the final rule to ensure payers feel safe exchanging and exposing data via APIs and USCDI data sets:

  • A payer may deny a 3rd-party application access to the Patient Access API if the payer reasonably determines that doing so would present an unacceptable level of risk to the security of PHI on the payer’s systems based on objective and verifiable criteria.
  • Payers must provide enrollees with resources explaining risk factors, including practical strategies to safeguard their privacy and security, and how to submit complaints to OCR or FTC.
  • Payers may request that 3rd-party apps attest to having certain information included in their privacy policy, and inform patients about this attestation, to help ensure patients are aware of the privacy risks associated with their choices.
  • Payers are NOT responsible for breaches of PHI, nor breach notification requirements, when the breach of PHI is caused by a third party or by the patient to whom the PHI has been released by the Payer. The rule also clarifies that privacy issues outside the scope of HIPAA are governed by the FTC under section 5 of the FTC Act (15 U.S.C. Sec. 45(a)) and the FTC Health Breach Notification Rule.

Payers are encouraged to review the OCR website for resources on the individual access standard to ensure they understand their responsibilities.

Get in Touch

Contact us to find more about the CMS rule, how it applies to your company, and about leading vendor solutions. 

We received your message and will contact you back soon.

Error sending please try again

We received your message and will contact you back soon.

Error sending please try again