Skip to main content

Sharing your data

What interoperability is - and what it means for you

Good news: You can now access your health data with any approved consumer health apps.

A recent ruling from the Centers for Medicare & Medicaid Services (CMS) allows interoperability. That means you, as a Geisinger Health Plan (GHP) member, can view your health data on your chosen approved third-party apps. Transforming the way you can access your health information transforms how you manage your overall health.

The CMS-9115-F Final Rule applies to the following covered entities.  

  • Medicare Advantage Organization and Medicaid Managed Care Plans (Geisinger Gold)
  • State Medicaid Agencies (GHP Family)
  • CHIP Agencies and CHIP Managed Care Entities (GHP Kids)
  • Issuers of Qualified Health Plans (QHP) on the Federally facilitated Exchanges (Geisinger Marketplace)

Starting July 1, 2021, if you’re a member of any of the above categories of health plans and you consent, we’ll make your health data available on any approved third-party app(s) within 1 business day.

Have questions?

man showing phone screen to camera

Member Rights and Risks

Right to share data with third-party app(s)

You can grant consent to share your health data with any chosen third party app starting from July 1, 2021. When you consent, we are required to make your health data available to the third-party app within 1 business day.

However, for the third-party app to be able to access your data, the third-party app needs to register with us. For more information about third-party apps, click here.

Right to revoke at any time

Think your data is unsafe with the third-party app — or just want to stop accessing your data on the third-party app? No problem. You can immediately revoke the access granted to the app by calling GHP customer care team or the number on the back of your member ID card.

Right to appoint an authorized personal representative

As a GHP member, you may appoint a personal representative to act on your behalf. Minors usually have their parents or legal guardian as their personal representative.

You can appoint anyone, such as a family member or a trusted aide, as your authorized personal representative to make health decisions on your behalf. The appointed authorized personal representative is treated as the member and can grant, revoke or renew consent to the third-party apps to access your health data. 

Be cautious in choosing who you want to appoint as your personal representative. For more information about authorized personal representatives, click here.


Risk of sharing data to third-parties

When you consent to share your data with third parties, being aware of the potential risks lets you make an informed decision.

Allowing an app to access, store, manage or use your data involves some degree of risk. To help you with this decision, we’ve reviewed and rated several apps. We’ll always try to keep your health data safe at all levels in our Geisinger processes and applications. But once your data is shared externally and is controlled by a third party, we have no visibility or control over how they store, manage or consume it.

If you think the safety of your data could be compromised by the third party, you can immediately stop sharing your data with them by calling the GHP customer care team or the number on the back of your member ID card.


Risk of secondary usage of data by the third-party app(s)

A specific example of risk to your data is called secondary usage. When your data is shared with and controlled by a third-party app, they may use your data in other ways, such as for advertising. Pay close attention to the privacy policy and user agreement provided by the app.

If you think the safety of your data could be compromised by the third party, you can immediately stop sharing your data with them by contacting the GHP customer care team or the number on the back of your member ID card.


Risk of appointing authorized personal representative

An authorized personal representative can access all your health data via third-party apps. Without your knowledge, they can grant and revoke access to your data to any third-party app they choose. Because your authorized personal representative is treated as you, the member, with regard to making health decisions, be cautious about who you appoint.

Risk of social engineering scams

Social engineering attacks, in which scammers try to access your health information, are becoming increasingly sophisticated. Beware of people or organizations posing as representatives of third-party health apps to trick you into sharing your sensitive information. Sometimes called “phishing scams,” these could be phone calls or emails pretending to be a trustworthy company or person requesting your information.


You can protect yourself with these tips:

  • Keep your anti-virus/anti-malware software updated.
  • Use and check your email filters and spam filters.
  • Use multifactor authentication for important accounts.
  • Don’t respond to requests for personal information or passwords. 
  • Don’t open email from a suspicious source.
  • Don’t click on links received in an email from a suspicious sender.
  • Don’t download or open attachments in an email from an unknown sender.
  • Don’t use the same password for multiple accounts.

For more information on how to protect yourself from social engineering scams, or if you think you may have been a victim of such a scam, visit the FTC's site on phishing scams.


Third-party Apps

Who manages third-party apps?

Third-party apps are managed by individuals or organizations outside of Geisinger.

As an app developer you can:


Risk assessment of third-party apps

As a GHP member, you will be empowered and educated with a risk assessment framework for third-party apps. The risk assessment process will provide valuable information and insight into how safe, secure and transparent an app is and how your health data is protected within it. Use the result of the risk assessment to make an informed choice and select the most appropriate app for you.

This risk assessment framework was developed in line with Carin Code of Conduct, CMS Interoperability and Patient Access Final Rule, CMS Blue Button, ONC Privacy Model and HIPAA.

For more information on the risk assessment process followed at Geisinger, see the below "Risk assessment framework information".


Risk assessment framework

The app developer fills out a risk assessment questionnaire to get access to the production environment and real-time member health data. The questionnaire is divided into three sections: data privacy, security assessment and technical assessment. These sections are divided further into seven domains.

Under each domain, developers must answer several questions to explain how the app addresses the requirements of data confidentiality, privacy and security. We evaluate a risk score and risk rating based on their answers.

The app developer is asked to self-attest. If they choose not to attest to the responses provided for the risk assessment questionnaire, we give the app a “high risk” rating regardless of the result of risk assessment process carried out for the app.

 Data Privacy and Security Assessment  Domain Risk Rating
Domain 1 Privacy Policy and Terms of Service Medium
Domain 2 Consent Management, Use and Disclosure High
Domain 3 Individual Access Medium
Domain 4 Security and Incident Management Low
Domain 5 Accountability and Provenance Medium
Technical Assessment
 Domain Risk Rating
Domain 6 Authentication and Authorization Management  High
Domain 7 Application and Data Security  Medium
     

 

You can see the risk ratings and corresponding scores provided for all the apps onboarded by Geisinger.
Risk ratings are categorized as low risk, medium risk and high risk.

If Risk score is between...  Risk Rating 
 0 to 30 Low risk
 31 to 70 Medium risk
 71 to 100 High risk
   

It's smartest to choose an app that has a low risk rating.


Authorized Personal Rep*

Who is an authorized personal representative?

An authorized personal representative is a person allowed to act on your behalf to make health decisions for you. Before someone can act as an authorized personal representative, you must appoint them by providing a legal document called Power of Attorney* (POA). 

The Centers for Medicare and Medicaid Services says that your authorized personal representative is to be treated as you yourself. That means we would honor the health decisions your representative makes on your behalf (just like we would honor yours). Because of this, you should be careful in choosing who you want to appoint as your authorized personal representative.

*A medical POA is a legally verifiable document that establishes a person’s right to execute/make health decisions on your behalf. This POA document is created upon your direction while you’re in a sound state of mind and health. 

Authorized personal representative Authorized representative
 Legal Power of Attorney document required  Power of Attorney documentation not needed
 Can access member health information & make health decisions  Can access member information but cannot make health decisions

 

In Pennsylvania, there are many guidelines on personal representatives for minors.

  • Emancipation of minors: In Pennsylvania, there is no general emancipation statute that explains procedures to follow to obtain that legal status. Generally, emancipation in Pennsylvania is based on a factual situation. The below do not need emancipation by a court order:
    • Screening and treatment for sexually transmitted diseases
    • Screening and treatment for HIV
    • Contraception (but not abortion)
    • Drug and alcohol treatment
    • Mental health treatment if you are age 14 and older
    • Minor girl who is pregnant (except for the decision to abort which requires consent by parent/guardian)
  • Special Conditions
    For pregnant minors
    •  Minor can make all medical decisions (except abortion)/provide consent 
    • For abortion, consent for treatment needs to be provided by the parent/guardian

    For mental health out-patient treatment

    • Age: under 14 – The personal representative is required to provide consent
    • Age: 14 to 17 – The minor can himself/herself provide consent for treatment, which cannot be contradicted or revoked by the personal representative.
    • Age: 18 and above - The person is treated as an adult and can make his/her own health decisions

Rights of an authorized personal representative

Your authorized personal representative is treated like you, the member, in terms of health decisions they can make and has rights that include:

  • Making health decisions on your behalf 
  • Granting, revoking and renewing consent to third-party apps on your behalf
  • Viewing the list of third-party app(s) that are accessing your health data
  • Accessing your health data via the third-party app(s)

However, if you have restricted your authorized personal representative’s access to certain protected health information, they will not be able to view complete information.


How to appoint an authorized personal representative?

To submit a request for appointing an authorized personal representative, follow these steps:

  • Visit here or log in securely to the GHP member portal, to access the personal representative form
  • Fill out the online request form (Member information, representative information, electronic signature) and submit the request. 
  • As a next step, you need to email the signed authorization form - the Power of Attorney (POA) document & other supporting documentation to solutionsteam@thehealthplan.com.

Or you can fax the documents to 570-271-5871 or mail them to:
Geisinger Health Plan
Authorized Personal Representative Form
100 N. Academy Ave.
Danville, PA 17822-3229

Upon successful approval, the authorized personal representative will receive an email from us with a unique access code to set up a new account or link their existing account to the personal representative role.

*If an active Power of Attorney document for the personal representative is already on record, we’ll approve your request and you may not need to separately send the POA document. Call 1-800-498-9731 for questions regarding POA.

For clarification or more information, call the GHP customer care team or the number on the back of your member ID card.


How to terminate an authorized personal representative?

  1. If you want to replace, submit the updated POA document to revoke the existing POA on our file. 
  2. If you want to revoke, submit a revocation letter mentioning the POA status to be revoked. Your revocation request letter should be witnessed or notarized appropriately for proof of validity.

Submit the document by emailing it to solutionsteam@thehealthplan.com.

Or you can fax the documents to 570-271-5871 or mail them to: 
Geisinger Health Plan
Authorized Personal Representative Form
100 N. Academy Ave.
Danville, PA 17822-3229


Limitations of an authorized personal representative

Though an authorized personal representative can act in full capacity of the member, there are certain limitations as below

  • A personal representative cannot access those health information that have been withheld by the member, as permissible by applicable laws
  • Any third-party app for which consent to share data has been provided by the personal representative, can be revoked by the member at anytime. 
  • A personal representative cannot access member’s user credentials
  • A personal representative cannot login to access /replicate member’s view of the Geisinger systems
  • If a member is deceased, the validity of the Power of Attorney ceases and the authorized personal representative can no longer access the member’s health information
 

How to manage data sharing

How to grant consent

You can grant consent to any registered third-party app to access your health data. To grant consent via the third-party app:

  1. Log into your third-party app.
  2. Look for the feature to access your health data from your health plan (or any equivalent section).
  3. On the list of health plans, select Geisinger Health Plan.
  4. Login using your GHP member portal credentials.
  5. Grant consent to the third-party app.

Your data will be shared upon successfully granting consent.


How to renew consent

You or your personal representative can renew consent for a third-party app if it has expired or is nearing expiry. Call the GHP customer care team or the number on the back of your member ID card and place a request to renew consent.

How to revoke consent

You can revoke consent to any third-party app anytime. Note that deleting the app from your device may not end the app’s access to your data. You can revoke consent by calling the GHP customer care team or the number on the back of your member ID card and they will revoke the app’s access during the call. They can also revoke access to all apps at once to protect your data if your phone is lost or stolen.

Questions and Complaints

Questions regarding data discrepancies

If you think your data shown on the app is incorrect, you can reach the GHP customer care team or the number on the back of your member ID card to resolve the issue.

How to file complaints

To file a complaint contact the GHP customer care team.

If your complaint is not resolved to your satisfaction, you can do the following:


*These features will be available in August 2021.

For assistance, contact Geisinger Health Plan's Customer Care team here or call the phone number on the back of your member ID card.