Certain Aetna1 members have the right to direct Aetna to disclose their claims data, encounter data, and clinical data (collectively “health data”) held by Aetna or certain of its government program health plan subsidiaries and affiliates to a designated third-party application (app) through certain standardized technology2.
Aetna is also required by law to provide these educational resources, which you may use when making decisions about who you choose to share your health data with.
Currently, only Medicare Advantage, Medicaid, and Qualified Health Plans on the Federally Facilitated Exchange members may direct Aetna to give consent to share their health data with third-party apps via Aetna's Patient Access API.
1“Aetna” and the pronouns “we,” “us,” or “our” may refer to one or more of the Aetna group of subsidiary companies and their affiliates.
2See The Centers for Medicare and Medicaid Services (“CMS”) Interoperability and Patient Access Final Rule (CMS-9115-F).
It is important for you to take an active role in protecting your own health data.
If you direct Aetna to share your health data with a third-party app, Aetna has no control over how the third-party app will use or share your health data. Aetna does not review or evaluate third-party apps or their privacy or security practices for your health data.
Some third-party apps may share your health data with other third parties.
Health data can be very sensitive, and you should be careful to choose apps with strong privacy and security standards to protect it.
What health data will this app collect?
Will this app collect non-health data from my device, such as my location?
Will my data be stored in a de-identified or anonymized form?
How will this app use my data?
Will this app disclose my data to third parties?
Will this app sell my data for any reason, such as advertising or research?
Will this app share my data for any reason? If so, with whom? For what purpose?
How can I limit this app’s use and disclosure of my data?
What security measures does this app use to protect my data?
What impact could sharing my data with this app have on others, such as my family members?
How can I access my data and correct inaccuracies in data retrieved by this app?
Does this app have a process for collecting and responding to user complaints?
If I no longer want to use this app, or if I no longer want this app to have access to my health information, how do I terminate the app’s access to my data?
What is the app’s policy for deleting my data once I terminate access? Do I have to do more than just delete the app from my device?
How does this app inform users of changes that could affect its privacy practices?
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law. One part of it helps protect personal health information. The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) enforces the HIPAA Privacy, Security, and Breach Notification Rules, and the Patient Safety Act and Rule.
Organizations and individuals who must follow HIPAA regulations are called “covered entities,” which can include:
Health plans, like health insurance companies, health maintenance organizations (HMOs), company health plans, and certain government programs that pay for health care, like Medicare and Medicaid
Many health care providers—those that conduct certain business electronically, such as electronically billing your health insurance—including most doctors, health clinics, hospitals, psychologists, chiropractors, nursing homes, pharmacies, and dentists
Health care clearinghouses
Additionally, “business associates” who provide certain services for covered entities must follow parts of the HIPAA regulations. Examples of business associates include billing companies, health care claims processors, companies that store or destroy medical records, and those that help administer health plans.
Many organizations that have health information about you do not need to follow HIPAA rules. Examples of these organizations may include life insurers, employers, workers compensation carriers, many schools and school districts, many state agencies, many law enforcement agencies, and many municipal offices.
Most third-party apps will not be covered by HIPAA. Most third-party apps will instead fall under the jurisdiction of the Federal Trade Commission (FTC) and the protections provided by the FTC Act.
If you think your HIPAA Privacy Rights have been violated, you can contact us using the toll-free Member Services number on your health plan ID card or you may contact the Allina Health | Aetna Medicare Privacy Office directly at the address below:
HIPAA Member Rights Team
P.O. Box 14079
Lexington, KY 40512-4079
You may also write the Secretary of the U.S. Department of Health and Human Services.
Health plans are offered or underwritten or administered by Coventry Health Plan of Florida, Inc., Aetna Health Inc. (Georgia), Aetna Life Insurance Company, Aetna Health of Utah Inc., Aetna Health Inc. (Pennsylvania), or Aetna Health Inc. (Texas) (Aetna). Aetna is part of the CVS Health family of companies.
Health benefits and health insurance plans contain exclusions and limitations.
Links to various non-Aetna sites are provided for your convenience only. Aetna Inc. and its subsidiary companies are not responsible or liable for the content, accuracy, or privacy practices of linked sites, or for products or services described on these sites.