Sharing and Protecting Your Health Care Data

Data-Sharing with applications (Apps) under the CMS Interoperability and Patient Access Rule

In 2020, the Center for Medicare and Medicaid Services (CMS) enacted the Interoperability and Patient Access Rule (CMS Interoperability Rule). This rule enables customers of certain health plans to easily access their claims and information about their visits with providers, including cost and certain specified clinical information maintained by their plans, through third-party applications (Apps) of their choice.

Sharing Your Data

The CMS Interoperability Rule enables customers of certain plans to access their health care data through a number of different health care applications. As a result, customers have the ability to view their health care data and share their health care data in new ways with other parties, such as providers or caregivers.

In order to enable a customer to use an application to access their health care data, the third party application developer must first connect with Cigna’s system. The customer using the application then may authorize the application to request access to the customer’s data. Consistent with privacy laws, Cigna protects customers’ health care data when it is in Cigna's systems and in connection with its transfer to third parties like applications that customers may use.

These third party applications that customers use to access to their health care data are not Cigna companies and are not subcontractors for Cigna companies. Cigna cannot, and does not, control the actions of external applications customers may use to access their health care data.

As a result, once you authorize the third party application to access your health information, Cigna cannot protect or monitor the maintenance, use, or disclosure of your information. This means, for example, that Cigna cannot, and does not, guarantee that any third party application will maintain the privacy and security of your health care data.

You can use the resources below to understand how to protect the privacy and security of your health information while considering whether to use a particular third party application to access your health care data.

Special considerations if you are part of an enrollment group in an Individual or Family Plan

If you are part of an enrollment group under a Qualified Health Plan (QHP) on a Federally- Facilitated Exchange (FFE), please be aware that your data may be combined with other members of their tax household. This means that other individuals on their plan may be able to access their data. Cigna’s policy for Individual and Family Plans is that individuals cannot access data from other members of their household unless they are the parent of a minor child or a personal representative of a family member.

If you are an enrollee of a Cigna Individual or Family Plan, please refer to our privacy forms for guidance on how to modify access to your data.

Selecting an Application

Before selecting an application to view your health care data, you should review the application’s privacy policy and Terms of Use/Terms of Service. The policy should be understandable and easy to read. Applications often use data they collect on behalf of customers for other purposes. The application’s privacy policy should outline how data will be used and what steps the company has taken to protect the data that they receive and store. Cigna does not advise the use of any application which does not have a privacy policy.

Questions about your health care data to consider as you select an application:

  • What data will this app collect? Will this app collect non-health care data from my device, such as my location?
  • Will my data be stored in a de-identified or anonymized form?
  • How will this app use my data?
  • Will this app disclose my data to third parties?
  • Will this app share my data for any reason, such as advertising or research? If so, with whom? For what purpose?
  • How can I limit this app’s use and disclosure of my data?
  • What security measures does this app use to protect my data?
  • What impact could sharing my data with this app have on others, such as my family members?
  • How can I access my data and correct inaccuracies in data retrieved by this app?
  • Does this app have a process for collecting and responding to user complaints?
  • If I no longer want to use this app, or if I no longer want this app to have access to my data, how do I terminate the app’s access to my data?
  • What is the app’s policy for deleting my data once I terminate access? Do I have to do more than just delete the app from my device?
  • How does this app inform users of changes that could affect its privacy practices?

If the application’s privacy policy does not clearly answer these questions, you should reconsider using the app to access your health care data. Health information is very sensitive information, and you should be careful to choose apps with strong privacy and security standards to protect yourself and your private data.

Cigna’s application attestation process
When an application developer requests access to your data, it’s Cigna’s policy to request that they sign a document attesting that their privacy policy contains certain elements to protect your data. Cigna cannot require that the application sign and return an attestation before sharing your data. Customers should always review an application’s privacy policy on their own in addition to considering the application’s attestation.

Cigna requests application developers attest to a code of conduct that was created by the Creating Access to Real-time Information Now (CARIN) Alliance. The CARIN Alliance is a group of stakeholders representing hospitals, physicians, caregivers, and patients. The CARIN Alliance Code of Conduct sets standards for how consumer health care data will be utilized and protected. The Code of Conduct also requires organizations to be transparent with individuals regarding the application’s use of and security measures protecting an individual’s health care data.

Applications Approved1 to Access Cigna Data

Apps that completed the CARIN Alliance Code of Conduct bear a special symbol(*) to show they attested to protecting your privacy. Apps that do not bear this symbol have not completed a privacy attestation through the CARIN Alliance.

Cigna has approved the following applications:





Applications and HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) protects the use and disclosure of Protected Health Information (PHI), which includes an individual’s medical information as well as personal identifiers such as name, address, date of birth, and Social Security number. The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) enforces the HIPAA Privacy, Security, and Breach Notification Rules, and The Patient Safety and Quality Improvement Act of 2005 (PSQIA). Cigna is a Covered Entity under HIPAA. Hospitals, providers, and other health care entities may also be covered under HIPAA. Most applications are not covered under HIPAA. If you are a patient, you can review our Privacy Policy.

Additional HIPAA Information:

Cigna HIPAA content

U.S. Department of Health and Human Services Health Information Privacy

Applications and Federal Trade Commission Oversight

Most applications will be regulated by the Federal Trade Commission (FTC). The law that governs application behavior is the Federal Trade Commission Act. This law prohibits, among other things, applications that deceive customers. An example of a deceptive act would be an application that shares an individual’s data without permission even if they have policy that states they will not do so.

Applications That Act in an Inappropriate Manner

If you feel that your data has been breached or used in an inappropriate manner, please email Cigna’s Privacy Office or write to:

Privacy Office
PO Box 188014
Chattanooga, TN 37422

1Applications that are approved may not be prepared for customer requests. Please contact the application customer service directly with any questions.