Sharing your data
What interoperability is - and what it means for you
Good news: You can now access your health data with any approved consumer health apps.
A recent ruling from the Centers for Medicare & Medicaid Services (CMS) allows interoperability. That means you, as a Geisinger Health Plan (GHP) member, can view your health data on your chosen approved third-party apps. Transforming the way you can access your health information transforms how you manage your overall health.
The CMS-9115-F Final Rule applies to the following covered entities.
- Medicare Advantage Organization and Medicaid Managed Care Plans (Geisinger Gold)
- State Medicaid Agencies (GHP Family)
- CHIP Agencies and CHIP Managed Care Entities (GHP Kids)
- Issuers of Qualified Health Plans (QHP) on the Federally facilitated Exchanges (Geisinger Marketplace)
- Federal Employees Health Benefits (FEHB)
Starting July 1, 2021, if you’re a member of any of the above categories of health plans and you consent, we’ll make your health data available on any approved third-party app(s) within 1 business day.
Member Rights and Risks
Right to share data with third-party app(s)
However, for the third-party app to be able to access your data, the third-party app needs to register with us. For more information about third-party apps, click here.
Right to revoke at any time
Right to appoint an authorized personal representative
As a GHP member, you may appoint a personal representative to act on your behalf. Minors usually have their parents or legal guardian as their personal representative.
You can appoint anyone, such as a family member or a trusted aide, as your authorized personal representative to make health decisions on your behalf. The appointed authorized personal representative is treated as the member and can grant, revoke or renew consent to the third-party apps to access your health data.
Be cautious in choosing who you want to appoint as your personal representative. For more information about authorized personal representatives, click here.
Risk of sharing data to third-parties
When you consent to share your data with third parties, being aware of the potential risks lets you make an informed decision.
Allowing an app to access, store, manage or use your data involves some degree of risk. To help you with this decision, we’ve reviewed and rated several apps. We’ll always try to keep your health data safe at all levels in our Geisinger processes and applications. But once your data is shared externally and is controlled by a third party, we have no visibility or control over how they store, manage or consume it.
If you think the safety of your data could be compromised by the third party, you can immediately stop sharing your data with them by calling the GHP customer care team or the number on the back of your member ID card.
Risk of secondary usage of data by the third-party app(s)
A specific example of risk to your data is called secondary usage. When your data is shared with and controlled by a third-party app, they may use your data in other ways, such as for advertising. Pay close attention to the privacy policy and user agreement provided by the app.
If you think the safety of your data could be compromised by the third party, you can immediately stop sharing your data with them by contacting the GHP customer care team or the number on the back of your member ID card.
Risk of appointing authorized personal representative
Risk of social engineering scams
Social engineering attacks, in which scammers try to access your health information, are becoming increasingly sophisticated. Beware of people or organizations posing as representatives of third-party health apps to trick you into sharing your sensitive information. Sometimes called “phishing scams,” these could be phone calls or emails pretending to be a trustworthy company or person requesting your information.
You can protect yourself with these tips:
- Keep your anti-virus/anti-malware software updated.
- Use and check your email filters and spam filters.
- Use multifactor authentication for important accounts.
- Don’t respond to requests for personal information or passwords.
- Don’t open email from a suspicious source.
- Don’t click on links received in an email from a suspicious sender.
- Don’t download or open attachments in an email from an unknown sender.
- Don’t use the same password for multiple accounts.
For more information on how to protect yourself from social engineering scams, or if you think you may have been a victim of such a scam, visit the FTC's site on phishing scams.
Third-party Apps
Who manages third-party apps?
Third-party apps are managed by individuals or organizations outside of Geisinger.
As an app developer you can:
- Access Geisinger’s developer portal
- Review information on developer instructions or API Documentation
- Register yourself or an application
Risk assessment of third-party apps
As a GHP member, you will be empowered and educated with a risk assessment framework for third-party apps. The risk assessment process will provide valuable information and insight into how safe, secure and transparent an app is and how your health data is protected within it. Use the result of the risk assessment to make an informed choice and select the most appropriate app for you.
This risk assessment framework was developed in line with Carin Code of Conduct, CMS Interoperability and Patient Access Final Rule, CMS Blue Button, ONC Privacy Model and HIPAA.
For more information on the risk assessment process followed at Geisinger, see the below "Risk assessment framework information".
Risk assessment framework
The app developer fills out a risk assessment questionnaire to get access to the production environment and real-time member health data. The questionnaire is divided into three sections: data privacy, security assessment and technical assessment. These sections are divided further into seven domains.
Under each domain, developers must answer several questions to explain how the app addresses the requirements of data confidentiality, privacy and security. We evaluate a risk score and risk rating based on their answers.
The app developer is asked to self-attest. If they choose not to attest to the responses provided for the risk assessment questionnaire, we give the app a “high risk” rating regardless of the result of risk assessment process carried out for the app.
| Data Privacy and Security Assessment | Domain Risk Rating | |
| Domain 1 | Privacy Policy and Terms of Service | Medium |
| Domain 2 | Consent Management, Use and Disclosure | High |
| Domain 3 | Individual Access | Medium |
| Domain 4 | Security and Incident Management | Low |
| Domain 5 | Accountability and Provenance | Medium |
| Technical Assessment |
Domain Risk Rating | |
| Domain 6 | Authentication and Authorization Management | High |
| Domain 7 | Application and Data Security | Medium |
You can see the risk ratings and corresponding scores provided for all the apps onboarded by Geisinger.
Risk ratings are categorized as low risk, medium risk and high risk.
| If Risk score is between... | Risk Rating |
| 0 to 30 | Low risk |
| 31 to 70 | Medium risk |
| 71 to 100 | High risk |
It's smartest to choose an app that has a low risk rating.
Authorized Personal Rep*
Who is an authorized personal representative?
An authorized personal representative is a person allowed to act on your behalf to make health decisions for you. Before someone can act as an authorized personal representative, you must appoint them by providing a legal document called Power of Attorney* (POA).
The Centers for Medicare and Medicaid Services says that your authorized personal representative is to be treated as you yourself. That means we would honor the health decisions your representative makes on your behalf (just like we would honor yours). Because of this, you should be careful in choosing who you want to appoint as your authorized personal representative.
*A medical POA is a legally verifiable document that establishes a person’s right to execute/make health decisions on your behalf. This POA document is created upon your direction while you’re in a sound state of mind and health.
| Authorized personal representative | Authorized representative |
| Legal Power of Attorney document required | Power of Attorney documentation not needed |
| Can access member health information & make health decisions | Can access member information but cannot make health decisions |
In Pennsylvania, there are many guidelines on personal representatives for minors.
- Emancipation of minors: In Pennsylvania, there is no general emancipation statute that explains procedures to follow to obtain that legal status. Generally, emancipation in Pennsylvania is based on a factual situation. The below do not need emancipation by a court order:
- Screening and treatment for sexually transmitted diseases
- Screening and treatment for HIV
- Contraception (but not abortion)
- Drug and alcohol treatment
- Mental health treatment if you are age 14 and older
- Minor girl who is pregnant (except for the decision to abort which requires consent by parent/guardian)
- Special Conditions
For pregnant minors- Minor can make all medical decisions (except abortion)/provide consent
- For abortion, consent for treatment needs to be provided by the parent/guardian
For mental health out-patient treatment
- Age: under 14 – The personal representative is required to provide consent
- Age: 14 to 17 – The minor can himself/herself provide consent for treatment, which cannot be contradicted or revoked by the personal representative.
- Age: 18 and above - The person is treated as an adult and can make his/her own health decisions
Rights of an authorized personal representative
Your authorized personal representative is treated like you, the member, in terms of health decisions they can make and has rights that include:
- Making health decisions on your behalf
- Granting, revoking and renewing consent to third-party apps on your behalf
- Viewing the list of third-party app(s) that are accessing your health data
- Accessing your health data via the third-party app(s)
However, if you have restricted your authorized personal representative’s access to certain protected health information, they will not be able to view complete information.
How to appoint an authorized personal representative?
To submit a request for appointing an authorized personal representative, follow these steps:
- Visit here or log in securely to the GHP member portal, to access the personal representative form
- Fill out the online request form (Member information, representative information, electronic signature) and submit the request.
- As a next step, you need to email the signed authorization form - the Power of Attorney (POA) document & other supporting documentation to solutionsteam@thehealthplan.com.
Or you can fax the documents to 570-271-5871 or mail them to:
Geisinger Health Plan
Authorized Personal Representative Form
100 N. Academy Ave.
Danville, PA 17822-3229
Upon successful approval, the authorized personal representative will receive an email from us with a unique access code to set up a new account or link their existing account to the personal representative role.
*If an active Power of Attorney document for the personal representative is already on record, we’ll approve your request and you may not need to separately send the POA document. Call 1-800-498-9731 for questions regarding POA.
For clarification or more information, call the GHP customer care team or the number on the back of your member ID card.
How to terminate an authorized personal representative?
- If you want to replace, submit the updated POA document to revoke the existing POA on our file.
- If you want to revoke, submit a revocation letter mentioning the POA status to be revoked. Your revocation request letter should be witnessed or notarized appropriately for proof of validity.
Submit the document by emailing it to solutionsteam@thehealthplan.com.
Or you can fax the documents to 570-271-5871 or mail them to:
Geisinger Health Plan
Authorized Personal Representative Form
100 N. Academy Ave.
Danville, PA 17822-3229
Limitations of an authorized personal representative
Though an authorized personal representative can act in full capacity of the member, there are certain limitations as below
- A personal representative cannot access those health information that have been withheld by the member, as permissible by applicable laws
- Any third-party app for which consent to share data has been provided by the personal representative, can be revoked by the member at anytime.
- A personal representative cannot access member’s user credentials
- A personal representative cannot login to access /replicate member’s view of the Geisinger systems
- If a member is deceased, the validity of the Power of Attorney ceases and the authorized personal representative can no longer access the member’s health information
How to manage data sharing
How to grant consent
You can grant consent to any registered third-party app to access your health data. To grant consent via the third-party app:
- Log into your third-party app.
- Look for the feature to access your health data from your health plan (or any equivalent section).
- On the list of health plans, select Geisinger Health Plan.
- Login using your GHP member portal credentials.
- Grant consent to the third-party app.
Your data will be shared upon successfully granting consent.
How to renew consent
How to revoke consent
Questions and Complaints
Questions regarding data discrepancies
How to file complaints
To file a complaint contact the GHP customer care team.
If your complaint is not resolved to your satisfaction, you can do the following:
- File a complaint with the Federal Trade Commission (FTC) or Office for Civil Rights (OCR)
*These features will be available in August 2021.
For assistance, contact Geisinger Health Plan's Customer Care team here or call the phone number on the back of your member ID card.