Effective Date: 10/17/2025

 

Privacy guidance when selecting third-party apps

We provide you with access to detailed information about your health history through a “Patient Access API.” While you are a current member, you may access this information by downloading a third-party application (app) on your smartphone, tablet, computer, or other similar device.

It is important for you to understand that the third-party app you select will have access to all of your information. The third-party app you choose should be subject to the Health Insurance Portability and Accountability Act (HIPAA) rules and other privacy laws, which generally protect your health information. Please be sure that the third-party app developer recognizes they are subject to HIPAA. For example, the third-party app’s privacy policy should describe legally-imposed limitations on how the third-party app will use, disclose, and (possibly) sell information about you.

It is important for you to know once we send your data to the third-party app, we no longer control how the third-party app uses or shares your information. If you decide to access your information through the Patient Access API, you should carefully review the privacy policy of any third-party app you are considering using to ensure you are comfortable with what the third-party app may do with your information. 

The information we will disclose may include treatment for substance use disorders, mental health treatment, HIV status, or other sensitive information. 

 

Things you may wish to consider when selecting a third-party app:

  • Will this third-party app sell my data for any reason?
  • Will this third-party app disclose my data to third parties for purposes such as research or advertising?
  • How will this third-party app use my data? For what purposes?
  • Will the third-party app allow me to limit how it uses, discloses, or sells my data?
  • If I no longer want to use this third-party app, or if I no longer want this third-party app to have access to my health information, can I terminate the third-party app’s access to my data? If so, how difficult will it be to terminate access?
  • What is the third-party app’s policy for deleting my data once I terminate access? Do I have to do more than just delete the third-party app from my device? 
  • How will this third-party app inform me of changes in its privacy practices?
  •  Will the third-party app collect non-health data from my device, such as my location?
  • What security measures does this third-party app use to protect my data?
  • What impact could sharing my data with this third-party app have on others, such as my family members?
  • Will the third-party app permit me to access my data and correct inaccuracies? (Note that correcting inaccuracies in data collected by the third-party app will not affect inaccuracies in the source of the data.)
  • Does the third-party app have a process for collecting and responding to user complaints?  

If the third-party app’s privacy policy does not satisfactorily answer these questions, you may wish to reconsider using the third-party app to access your health information. Your health information may include very sensitive information. You should therefore be careful to choose a third-party app with strong privacy and security standards to protect it.  

 

Covered entities and HIPAA enforcement

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) enforces the HIPAA Privacy, Security, and Breach Notification Rules. You can:

Blue Shield Privacy Office
P.O. Box 272540
Chico, CA 95927-2540

 

Third-party apps and privacy enforcement

Additionally, the Federal Trade Commission Act protects against deceptive acts (such as a third-party app that discloses personal data in violation of its privacy notice). A third-party app that violates the terms of its privacy notice may be subject to the jurisdiction of the Federal Trade Commission (FTC). The FTC provides information about mobile app privacy and security for consumers.