Interoperability and Third-Party Applications

Accessing Your Health Information

The CMS Interoperability and Patient Access Rule (“The Rule”) was established by the Centers for Medicare and Medicaid Services (CMS) in May 2020. This rule applies eternalHealth members. The Rule made it simpler for eternalHealth members to access their health information. The Rule also created methods to enable members to access their healthcare information through third-party software apps.

What is Interoperability?

Interoperability is the ability for electronic systems to communicate and exchange data in the same way, which will simplify how app developers create connections to eternalHealth and your health information. Interoperability improves the efficiency of healthcare. Interoperability allows you to securely access your health information on a smartphone or other electronic device for personal use. You could show your healthcare information to your healthcare provider so any provider who’s treating you can have more information about your health history. This does not mean your information will be automatically shared: you will get to control over who has access to your data.

eternalHealth Patient Access API

Under The Rule, eternalHealth must provide a “Patient Access API.” The Patient Access API will be used to provide you with detailed information about your health information. The Patient Access API provides a method for apps to access your health information when you approve that access. Apps cannot access your data through the Patient Access API without your express permission. While you are a current eternalHealth member, you can take advantage of these capabilities by downloading an app on your smart phone, tablet, computer or other similar device and checking to see if they have created a connection to eternalHealth. If they have then you can authorize the app to access your health information. The information available through the Patient Access API includes information we collect about you while you have been enrolled in certain lines of business since January 1, 2016. The information includes the following information for as long as we maintain it in our records:
  • Claims and “encounter” data concerning your interactions with health care providers; and
  • Clinical data that we collect in the process of providing case management, care coordination, or other services to you
  • The information we will disclose may include information about treatment for substance use disorders, mental health treatment, HIV status, or other sensitive information.

What important things should you consider before authorizing a third-party app to retrieve your health data?

  • What health data will this app collect?
  • Will this app collect non-health data from my device, such as my location?
  • Will my data be stored in a de-identified or anonymized form?
  • How will this app use my data?
  • Will this app disclose my data to third parties?
  • Will this app sell my data for any reason, such as advertising or research?
  • Will this app share my data for any reason? If so, with whom? For what purpose?
  • How can I limit this app’s use and disclosure of my data?
  • What security measures does this app use to protect my data?
  • What impact could sharing my data with this app have on others, such as my family members?
  • How can I access my data and correct inaccuracies in data retrieved by this app?
  • Does this app have a process for collecting and responding to user complaints?
  • If I no longer want to use this app, or if I no longer want this app to have access to my health information, how do I terminate the app’s access to my data?
  • What is the app’s policy for deleting my data once I terminate access? Do I have to do more than just delete the app from my device?
  • How does this app inform users of changes that could affect its privacy practices?

Covered Entities and HIPAA Enforcement

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) enforces the HIPAA Privacy, Security, and Breach Notification Rules. eternalHealth is subject to HIPAA as are most health care providers, such as hospitals, doctors, clinics, and dentists. You can find more information about your rights under HIPAA and find who is obligated to comply with HIPAA here: To learn more about filing a complaint with the OCR related to HIPAA requirements, visit You may also file a complaint with eternalHealth by contacting Member Services at 1-800-680-4568 (TTY 711).

Apps and Privacy Enforcement

Each app provider will have different policies; we suggest that you ask each app provider for their “Notice of Privacy Practices.” Additionally, note that most apps will not be covered by HIPAA, but will instead be subject to the jurisdiction of the Federal Trade Commission (FTC) and the protections offered by the FTC Act. The FTC provides information about mobile app privacy and security for consumers here: If you believe an app inappropriately used, disclosed, or sold your information, you should contact the FTC. You may file a complaint with the FTC using the FTC complaint assistant:

What should you do if you believe your health data has been breached or an application has used your data inappropriately?

If you think your HIPAA Privacy Rights have been violated, you can contact us at (888) 712-4150 toll-free, or you may contact our Privacy Office directly at the address below: eternalHealth Privacy Officer eternalHealth, Inc. 31 Saint James Ave. Suite 950 Boston, MA 02116 If you believe a HIPAA-covered entity (e.g., a doctor, hospital, or a health plan like eternalHealth) has violated your HIPAA Privacy Rights, you may file a complaint with the Office for Civil Rights (OCR). The OCR is the agency within the U.S. Department of Health and Human Services (HHS) that investigates a complaint and has the authority to enforce the HIPAA privacy and security rules. To learn more about filing a complaint, visit I Am a Third-party App Developer. How Can I Register to Use the eternalHealth’s APIs? Please email your request to and we will reach out to you with access details after verifying your credentials. Citations 42 C.F.R. § 422.119(g)
Page Last Updated On: August 18, 2022