What is this Checklist?
We’ve created this checklist to help your organization prepare to apply for production access to the Blue Button 2.0 API. We encourage you to consider each of these questions carefully in preparation for your application demonstration for the CMS team and be prepared to discuss your answers. Not all of these questions may apply to your application.
Over the course of the process, we’ll need some basic information about your application:
- What is the name of your organization?
- What is the redirect URI of your application?
- What is the name of the application to which you’d like to connect the BB2.0 API?
- Describe the nature of your application (i.e. how a Medicare beneficiary would use your application)
- When do you hope to release your application for public use?
- How many Medicare users do you anticipate your application will attract?
- Do you have any specific plans to market your application?
- Please list who you’d like the Blue Button 2.0 API team to contact for matters related to your application, such as to set up and attend a demonstration of your application, or answer any follow-up questions we may have about this application?
The following section is intended to help us understand what your application is doing to protect the sensitive data of Medicare beneficiaries.
Ensuring Your Privacy Policy Meets the Basics
- Do you have a privacy policy that is based on industry best practices?
- Is your privacy policy prominent and publicly accessible?
- Please include a link to your publicly available Terms of Service and Privacy Policy.
- Is your privacy policy easy to read, especially from the perspective of a Medicare beneficiary? Or do you explain the privacy policy in another document that is easier to read?
- If yes, what is the estimated reading level of your Privacy Policy and Terms of Service? How do you know?
Does your privacy policy…
- Specify your company’s data collection practice, including any use and sharing of de-identified, anonymized or pseudonymized data?
- Specify your company’s user consent practice, including any use and sharing of de-identified, anonymized or pseudonymized data?
- Note: Some data, even if it has been anonymized, can still be used to identify people with specific medical conditions, etc. Are you doing enough to explain these risks in your privacy policy?
- Specify your company’s data disclosure practice, including any use and sharing of de-identified, anonymized or pseudonymized data?
- Specify your company’s data access practice, including any use and sharing of de-identified, anonymized or pseudonymized data?
- Specify your company’s security practice, including any use and sharing of de-identified, anonymized or pseudonymized data?
- Specify your company’s retention/deletion practice, including any use and sharing of de-identified, anonymized or pseudonymized data?
Also, affirm whether or not your privacy policy addresses the following questions:
- Does your privacy policy address when data sharing might have an impact on others (such as the impact of sharing genetic or family history information on relatives)?
- Will Medicare beneficiaries be notified if your app’s privacy policy is updated to use personal information in a materially different way? Or makes material, retroactive changes to the way it uses personal information your app already collected?
- Will the notification give the user context for what has changed and allow them to update their privacy settings and/or opt-out of service?
- Do you understand that, prior to rolling out changes to your Privacy Policy or Terms of Service, you must submit drafts of the new documents and draft notification to beneficiaries by emailing BlueButtonAPI@cms.hhs.gov? The CMS team will review your documents and respond with feedback or approval within five business days. You may not roll out the new documents or notify beneficiaries of changes until you receive approval from CMS.
- Have you used ONC’s Model Privacy Notice (MPN) in developing your application’s privacy policy?
- Have you used any industry alliance reference material in developing your application’s privacy policy?
- Does your privacy policy clearly state whether data is collected, or if it is shared with third parties?
- If data is shared with third parties, is that on a one-time basis, or persistently collected?
- If data is persistently collected, over what time frame is it collected for?
- Do you explain what happens to a user’s data if they withdraw their consent?
- Do you continue to retain and use their data?
- Is their data securely deleted?
- What happens if your company is sold and the use of user’s data could change in a material way? Are beneficiaries and CMS notified?
- Note: We understand that when your company is being purchased, you may have very little power over these decisions. The responsibility of informing users about material changes to the way their data is used belongs to the acquiring company. We would, however, like to see some indication of this in your privacy policy to ensure that the burden is not on the beneficiary to find that out on their own.
- Does your privacy policy clearly state the application’s policy regarding dormant or closed accounts?
Medicare Beneficiary Consent
This section helps prepare you for questions around your understanding and treatment of Medicare Beneficiary consent to your service.
- How will you obtain users’ informed, proactive consent in advance of data sharing? The consent must clearly describe how user data will be collected, used, and shared.
- How do you intend to obtain separate, informed, proactive consent to use or disclose data from another individual identified in the protected health information (PHI) of the user?
- Note: “We won’t” is an acceptable answer.
Use and Disclosure
- If your application works with third-party vendors, do your third-party vendors commit to data protection data requirements consistent with the law and your expectations, both based on the sensitivity of PII/PHI?
- How will you prohibit the use or disclosure of user information (including de-identified, anonymized or pseudonymized data) by third-party vendors, contractors, and partners for any undisclosed purposed without express consent from the user?
- Do you understand that your application may only collect health information that a user expressly consents to?
- Do you understand that your application may only collect, use, and disclose health information in ways that are consistent with user expectation and consent?
Individual Access
- Where do you publicly host a link with instructions for how a user can request to securely and completely dispose of their identifiable health data?
- Do you understand and commit to following laws and best-practices to minimize the risk of unauthorized access, use, destruction, unauthorized annotation or disclosure of user data?
- How will you store and retain health information in a manner consistent with best practices associated with the protection of personally identifiable health information?
- How will you protect identifiable health information?
- Do you agree to comply with applicable breach notification laws and provide meaningful remedies to address security breaches, privacy, or other violations incurred because of misuse of the user’s health information?
Accountability
- How will you notify the public when you receive any certification or accreditation from any independent certifying organizations?