A checklist to help your organization prepare to apply for production access to the Blue Button 2.0 API.
What is this Checklist?
We’ve created this checklist to help your organization prepare to apply for production access to the Blue Button 2.0 API. We encourage you to consider each of these questions carefully in preparation for your application demonstration for the CMS team and be prepared to discuss your answers. Not all of these questions may apply to your application.
Over the course of the process, we’ll need some basic information about your application:
What is the name of your organization?
What is the redirect URI of your application?
What is the name of the application to which you’d like to connect the BB2.0 API?
Describe the nature of your application (i.e. how a Medicare beneficiary would use your application)
When do you hope to release your application for public use?
How many Medicare users do you anticipate your application will attract?
Do you have any specific plans to market your application?
Please list who you’d like the Blue Button 2.0 API team to contact for matters related to your application, such as to set up and attend a demonstration of your application, or answer any follow-up questions we may have about this application?
Adherence to the Blue Button 2.0 API Terms of Service & General Privacy Guidelines
The following section is intended to help us understand what your application is doing to protect the sensitive data of Medicare beneficiaries.
Specify your company’s data collection practice, including any use and sharing of de-identified, anonymized or pseudonymized data?
Specify your company’s user consent practice, including any use and sharing of de-identified, anonymized or pseudonymized data?
Specify your company’s data disclosure practice, including any use and sharing of de-identified, anonymized or pseudonymized data?
Specify your company’s data access practice, including any use and sharing of de-identified, anonymized or pseudonymized data?
Specify your company’s security practice, including any use and sharing of de-identified, anonymized or pseudonymized data?
Specify your company’s retention/deletion practice, including any use and sharing of de-identified, anonymized or pseudonymized data?
Will the notification give the user context for what has changed and allow them to update their privacy settings and/or opt-out of service?
If data is shared with third parties, is that on a one-time basis, or persistently collected?
If data is persistently collected, over what time frame is it collected for?
Do you explain what happens to a user’s data if they withdraw their consent?
Do you continue to retain and use their data?
Is their data securely deleted?
What happens if your company is sold and the use of user’s data could change in a material way? Are beneficiaries and CMS notified?
Medicare Beneficiary Consent
This section helps prepare you for questions around your understanding and treatment of Medicare Beneficiary consent to your service.
How will you obtain users’ informed, proactive consent in advance of data sharing? The consent must clearly describe how user data will be collected, used, and shared.
How do you intend to obtain separate, informed, proactive consent to use or disclose data from another individual identified in the protected health information (PHI) of the user?
Note: “We won’t” is an acceptable answer.
Use and Disclosure
If your application works with third-party vendors, do your third-party vendors commit to data protection data requirements consistent with the law and your expectations, both based on the sensitivity of PII/PHI?
How will you prohibit the use or disclosure of user information (including de-identified, anonymized or pseudonymized data) by third-party vendors, contractors, and partners for any undisclosed purposed without express consent from the user?
Do you understand that your application may only collect health information that a user expressly consents to?
Do you understand that your application may only collect, use, and disclose health information in ways that are consistent with user expectation and consent?
Where do you publicly host a link with instructions for how a user can request to securely and completely dispose of their identifiable health data?
Do you understand and commit to following laws and best-practices to minimize the risk of unauthorized access, use, destruction, unauthorized annotation or disclosure of user data?
How will you store and retain health information in a manner consistent with best practices associated with the protection of personally identifiable health information?
How will you protect identifiable health information?
Do you agree to comply with applicable breach notification laws and provide meaningful remedies to address security breaches, privacy, or other violations incurred because of misuse of the user’s health information?
How will you notify the public when you receive any certification or accreditation from any independent certifying organizations?