Health Data Permissions and Privacy
Resources on privacy and security
Some members have the right to tell Mercy Care to release some of their health data to third-party apps.
Here are some educational materials. You can use them to help decide who to share your health data with.
Learn about the Payer-to-Payer Data Exchange.
Protect the privacy and security of your health data
Take care when choosing which apps you share your health data with. Health data can be very sensitive. We don’t control how third-party apps use or share your health data. We don’t review third-party apps or their privacy and security standards for your health data.
Things to think about when choosing a third-party app to receive your health data
- What health data will this app collect?
- Will this app collect non-health data from my phone, such as my location?
- Will this app store my data in a de-identified or anonymized form?
- How will this app use my data?
- Will this app share my data with other third parties?
- Will this app sell my data for any reason, such as advertising or research?
- Will this app share my data for any reason? If so, with whom? For what purpose?
- How can I limit this app’s use and disclosure of my data?
- What security measures does this app use to protect my data?
- What impact does sharing my data with this app have on others? Does this impact my family members?
- How can I access my data and correct wrong info saved by this app?
- Does this app have a process for collecting and responding to user complaints?
- If I no longer want to use this app, or if I no longer want this app to have access to my health information, how do I stop the app from getting my data?
- What is the app’s policy for removing my data once I end access?
- Do I have to do more than just delete the app from my device?
- How does this app tell users about changes that could affect its privacy practices?
What is HIPAA?
- The Health Insurance Portability and Accountability Act (HIPAA) is a federal law. One part of it helps protect personal health information. The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) enforces the HIPAA Privacy, Security, and Breach Notification Rules, and the Patient Safety Act and Rule.
- You can find HIPAA FAQs for individuals from HHS
Who must follow HIPAA?
“Covered entities” must follow HIPAA rules. This can include:
- Health plans:
- Health insurance companies
- Health maintenance organizations (HMOs)
- Company health plans
- Certain government programs that pay for health care, like Medicare and Medicaid
- Many health care providers that do business electronically. For example, if they bill your health insurance electronically. This can include:
- Health clinics
- Nursing homes
- Health care clearinghouses
“Business associates” who provide certain services for covered entities must follow parts of the HIPAA rules. This can include:
- Billing companies
- Health care claims processors
- Companies that store or destroy medical records
- Those that help administer health plans
Many entities that have your health info don’t need to follow HIPAA rules. These may include:
- Life insurers
- Workers compensation carriers
- Schools and school districts
- State agencies
- Law enforcement agencies
- Municipal offices
You can find more info from HHS about patient rights under HIPAA and who must follow HIPAA
Do third-party apps have to follow HIPAA rules?
You can read more from the FTC about mobile app privacy and security
How do I file a HIPAA privacy complaint?
If you think your HIPAA privacy rights were violated, you have options:
- Call us toll-free at the Member Services number on your member ID card.
- Write the Aetna Privacy Office at the address below:
- HIPAA Member Rights Tea
P.O. Box 14079
Lexington, KY 40512-4079
- Write the Secretary of the U.S. Department of Health and Human Services
- Learn more about filing a complaint with HHS OCR under HIPAA
- File a complaint with HHS OCR using the OCR complaint portal
File a complaint if you think an app has misused your data.