Skip to main content

Patient Access API

Looking to use your clinical data with another app? If you're interested in sharing your Oscar data with a third party app, here's some helpful information about our new Patient Access API.

The 21st Century Cures Act and the CMS Patient Access API

The 21st Century Cures Act was signed into law in December 2016 and is intended to give patients and their healthcare providers secure access to health information, to improve interoperability between health information systems and increase patient access to their own health data. This law also empowers the Centers for Medicare & Medicaid Services (CMS) to create regulations to further this goal, which it did with the creation of the CMS Interoperability and Patient Access final rule (CMS-9115-F). In order to increase patients' access to their health data, the rule prohibits information blocking and requires health insurance plans to give members access and the ability to share their health plan data via an API endpoint with third-party applications of their choice. The deadline for health plans to comply with this mandate was July 1st, 2021.

What Does This Mean for You and Oscar?

What this set of regulations means is that Oscar must make available all of your claims and clinical data contained in their systems via an API endpoint, where you can share this data with third-party applications of your choosing. Your data is updated and made available through the API within 24 hours of receiving any new data. Oscar has contracted with 1upHealth, a HIPAA-compliant industry leader in healthcare data integration. 1upHealth utilizes a cutting-edge data standard called Fast Healthcare Interoperability Resources (FHIR), to provide you access and the ability to share your data.When you wish to integrate your healthcare data with 3rd-party applications, such as MyCharts, Apple Health, or FitBit, you will connect through these applications to the 1upHealth platform. Once your identity is authenticated, Oscar will share your healthcare data with the 3rd-party application you have chosen, through the 1upHealth platform.

API Interoperability Standards

Implementation Guides

Why Share Your Data? Benefits and Risks

There are a host of benefits to this new ability to access and share your data. Take a look at our App Gallery, for a sampling of the 3rd party applications that are being developed to help you leverage this information. Some apps allow you to aggregate your data from multiple health systems to create a complete record of your interactions with different doctors and hospitals, and even combine it with data you generate on your own from wearable devices like glucose meters, pedometers, or heart rate monitors. Some other common uses include: prescription drug management, chronic disease management, nutrition tracking, and care coordination. Data sharing empowers you to have greater ownership of and visibility into your health data, and has the potential to improve both your health and the quality of care you receive from the health care system.

Understanding your App Privacy

As with any interaction over the internet, these tremendous benefits are not without some level of risk. Oscar takes your privacy and the security of your health information as seriously as you do. That's why your data will never be shared without your express permission. Oscar safeguards your data throughout the process of sharing it in several ways, including using challenge questions and multi-factor authentication to confirm you - and no one else - can access and share your data. It is important to understand that once your data is shared with a 3rd party application, Oscar is no longer responsible for the security of that data. This is why it is important to read the privacy and security policies for any application you choose to share your data with, to ensure you understand how it is protected and used by that specific, non-Oscar application.As a health plan, Oscar is a Covered Entity as defined by Health and Human Services and must protect your information under HIPAA. Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.Many organizations that have health information about you do not have to follow these laws. Examples of organizations that do not have to follow the Privacy and Security Rules include:
  • Life insurers
  • Employers
  • Workers compensation carriers
  • Most schools and school districts
  • Many state agencies like child protective service agencies
  • Most law enforcement agencies
  • Many municipal offices
Non-Oscar applications are not always considered as a part of Covered Entities and as such may not be subject to HIPAA. However, the FTC enforces the Health Breach Notification Rule, that requires certain organizations and Apps not covered by HIPAA to notify their customers, the FTC, and, in some cases, the media, if there’s a breach of unsecured, individually identifiable health information. The FTC has made it clear that makers of health apps, connected devices, and similar products must comply with the Rule.The U.S. Department of Health and Human Services (HHS) OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, and the Patient Safety Act and Rule. You can find more information about patient rights under HIPAA and who is obligated to follow HIPAA here: https://www.hhs.gov/hipaa/for-individuals/guidance-materials-for- consumers/index.html

How to Report Identity Theft and Fraud

If you believe a non-Oscar application that you've shared your data with is misusing that information in violation of their stated privacy policy, contact the Federal Trade Commission to investigate the matter by going to ReportFraud.ftc.gov or calling (877)-382-4357.If you believe the privacy of your health care data has been violated by a non-Oscar Application, contact the FTC and file a complaint at: https://reportfraud.ftc.gov/#/assistantThe U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), enforces federal civil rights laws, conscience and religious freedom laws, the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules, and the Patient Safety Act and Rule, which together protect your fundamental rights of nondiscrimination, conscience, religious freedom, and health information privacy at covered entities.If you believe that a HIPAA-covered entity or its business associate violated your (or someone else’s) health information privacy rights or committed another violation of the Privacy, Security, or Breach Notification Rules, you may file a complaint with the Office for Civil Rights (OCR). OCR can investigate complaints against covered entities (health plans, health care clearinghouses, or health care providers that conduct certain transactions electronically) and their business associates.To learn more about filing a complaint with OCR under HIPAA, visit: https://www.hhs.gov/hipaa/filing-a-complaint/index.html Individuals can file a complaint with OCR using the OCR complaint portal: https://ocrportal.hhs.gov/ocr/smartscreen/main.jsf Individuals can file a complaint with the FTC using the FTC complaint assistant: https://reportfraud.ftc.gov/#/assistant