Member Data Rights - CCHP

It is vital for members to take an active role in protecting their health data. Members should look for an easy-to-read privacy policy that clearly tells you how the app will use your data. If an app does not have a privacy policy, members should not use the app.

Members should think about:

• Has the app been passed by any regulatory agency?
• What health data will this app collect?
• Will this app collect non-health data from my phone, such as my location?
• How will this app use my data?
• Will this app show my data to third parties?
• Will this app sell my data for any reason, such as advertising or research?
• Will this app share my data for any reason? If so, with whom? For what reason?
• How can I limit this app’s use and release of my data?
• What safety steps does this app use to protect my data?
• What impact could sharing my data with this app have on others, such as my family members?
• How does this app let users know of changes that could change its privacy practices?
• How can I use my data and fix mistakes in data saved by this app?
• Does this app have a way of taking in and answering a user complaint?
• If I don’t want to use this app anymore, or if I don’t want this app to use my health data, how do I stop the app from getting my data?
• What is the app’s policy for removing my data once I stop using it? Do I have to do more than just delete the app from my phone?

If the app’s privacy policy does not answer these questions, members should either not use the app or look at other apps. Health data is very private and members should be careful to pick apps that have strong privacy and safety standards to protect their data.

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) enforces the HIPAA Privacy, Security, and Breach Notification Rules, and the member Safety Act and Rule. You can find more information about member rights under HIPAA and who is obligated to follow HIPAA.

You may also want to share with members the HIPAA FAQs for Individuals.

Most third-party apps will not be covered by HIPAA. Most third-party apps will instead fall under the jurisdiction of the Federal Trade Commission (FTC) and the protections given by the FTC Act. The FTC Act, among other things, protects against deceptive acts (e.g., if an app shares private data without your okay, despite having a privacy policy that says it will not do so).

The FTC gives information about mobile app privacy and security for consumers.

To file a complaint, members should follow the below listed rules.

• Learn more about filing a complaint with OCR under HIPAA.
• Individuals can file a complaint with OCR using the OCR complaint portal.
• Individuals can file a complaint with the FTC using the FTC complaint helper.