Data Sharing


Interoperability and Patient Access

Region 10 PIHP is committed to providing secure health information to individuals and their healthcare providers. As part of the ONC 2015 Edition Cures Update (170.315(g)(10)), Region 10 ensures that persons served and approved third-party developers can access health data through our secure Application Programming Interfaces (APIs).

This commitment aligns with federal Medicaid requirements, which regulate beneficiary access to and exchange of data (42 CFR §431.60), and public access to provider directory information (42 CFR §431.70).

Key points about the Cures Act payer data exchange:

  • Interoperability focus: The primary goal is to promote interoperability, allowing different systems to easily communicate and share patient data without barriers.
  • Patient access: The Cures Act also empowers patients to access their own health information from payers, giving them greater control over their healthcare data.
  • API utilization: To facilitate data exchange, payers are required to implement APIs that enable secure access to patient information, including claims, clinical data, and encounter details.
  • Benefits: This data exchange can lead to improved care coordination, better decision-making by healthcare providers, reduced administrative burdens, and enhanced patient experience.

Click here to read more about the Interoperability and Patient Final Rule.

Individuals Access to Healthcare Data

Region 10 PIHP offers the individuals we serve access to their healthcare data. This information can be accessed through a third-party application that connects to our healthcare data API. Before any data is shared, you must approve the application’s request to access your health information. While no third-party applications are currently registered and available, we are actively accepting requests from app developers to integrate their software with our system.

You can also obtain access to your healthcare records by contacting the Community Mental Health services program (CMH) where services were authorized or provided to enable access through an online CMH patient portal.

Security and Privacy Measures

Region 10 PIHP is fully compliant with HIPAA and CMS requirements to protect sensitive information. Our API features multiple layers of security, including:

  • Encryption: All data exchanged via our API is encrypted to ensure confidentiality.
  • Authorization and Pre-registration: Third-party developers must go through a pre-registration process to gain access to data. Individuals served maintain full control over who can access their health information.
  • Token-based Authentication: Access to data requires token-based authentication, adding an extra layer of security for every transaction.

If you authorize a third-party application to access your healthcare data, it’s important to understand how that application will protect your information. Once information is shared with an external application, that application may or may not be subject to HIPAA privacy protections. The U.S. Department of Health and Human Services provides a guide to help understand the privacy and security considerations accessing your health information through apps and APIs.

Before using a third-party application, consider these steps to help protect your information:

  • Understand How the App Works: Make sure you fully understand how the app operates and how it will allow you to access your personal health information (PHI). Review any guides, FAQs, or tutorials provided by the app developer to ensure you know how to navigate the app and manage your data.
  • Password Protection and Security: The application should require strong password protection or multi-factor authentication for accessing your information. This adds an extra layer of security and ensures that only you (or someone you trust) can access your data.
  • Review the Privacy Policy: A transparent, easy-to-read Privacy Policy is essential. It should clearly explain how your personal and health information will be used, stored, and shared. Be cautious of apps that either lack a Privacy Policy or have unclear terms. Ensure the policy outlines how changes will be communicated to you, and always look for apps that prioritize your consent.
  • Know What Data the App Collects: Beyond your healthcare data, check what other types of information the app collects. Some apps may request access to your location, contacts, or even details about family members. If you’re uncomfortable with the extent of data collection, consider looking for an alternative.
  • Where and How Data Is Stored: Understand where your data will be stored and whether it is transferred or accessed outside the United States. Knowing the app’s data storage practices is crucial in ensuring your data is safe and governed by appropriate legal protections.
  • Third-Party Sharing: Review the app's policy on data sharing. Some apps may sell or share your information with advertisers, researchers, or other third parties. Ensure the Privacy Policy specifies who they share your data with and why. If you prefer not to share your data with third parties, look for an app that allows you to opt out of this practice.
  • Limit Data Use and Disclosure: Make sure the app allows you to control how much data you share and with whom. Reputable apps will let you limit access to only the information necessary for the app’s function, without forcing you to share everything.
  • Security Measures: Verify that the app uses industry-standard security protocols like encryption to protect your data. Your health information should be safeguarded with reasonable and appropriate measures to prevent unauthorized access or breaches.
  • Handling Complaints and Issues: The app should have a straightforward and transparent process for handling user complaints or privacy concerns. Make sure you can easily contact their support team if issues arise.
  • Ending Data Access: If you decide to stop using the app or want to withdraw its access to your healthcare data, the app should offer a clear, simple process for terminating access. It’s also important to check if the app has a policy for deleting your data once access is revoked, ensuring your information doesn’t remain in their systems longer than necessary.

By following these guidelines, you can choose a third-party app that keeps your health information secure and gives you control over how your data is accessed and shared.

If you are a developer interested in connecting your application to our API, please review our Web Service API Documentation for full details on the security protocols and technical requirements. To apply for access to the API, please submit a written request using the PCE API Access Request Form in Appendix A of our Web Service API Documentation.

Your Rights Under HIPAA

As a beneficiary, HIPAA grants you specific rights over your healthcare data, including:

  • Right to Access: You have the right to access your healthcare information and request copies of your medical records from covered entities like health plans and healthcare providers.
  • Right to Request Amendments: If you believe that your healthcare data is incorrect or incomplete, you have the right to request amendments to your health records.
  • Right to Privacy: Your healthcare data is protected from unauthorized disclosure. Covered entities must follow strict privacy and security standards to ensure your information is only shared with authorized parties.
  • Right to File a Complaint: If you believe your healthcare privacy rights have been violated, you have the right to file a complaint with the U.S. Department of Health & Human Services (HHS) Office for Civil Rights (OCR). You can learn more about how to file a complaint here. You can also file a complaint with the Federal Trade Commission (FTC). ReportFraud.ftc.gov is the federal government's website where you can report fraud, scams, and bad business practices.

For more detailed information about your HIPAA rights, visit the official CMS webpage: Understanding HIPAA

API Information

In our ongoing effort to meet CMS interoperability standards, Region 10 PIHP collaborates with our EHR vendor, PCE Systems. Together, we ensure the secure and compliant sharing of healthcare information in a way that meets the needs of our individuals while protecting their privacy.

► Provider Directory API:

The Payer Data Exchange exposes public-facing API endpoints that support the querying of provider directory information. These endpoints allow third-party applications and websites to retrieve designated provider directory data from our payer system. Please see the link below for detailed information on Region 10’s Provider Directory API.

Provider Directory API Documentation

Provider Directory API endpoint: https://fhir.pcesecure.com:9443/PCEFhirServer/MIX/metadata

► Patient Access API:

The public-facing Web Service API provides an interface into the PCE Care Management Version 9.4 system for the purposes of meeting criteria for ONC 2015 Edition Cures Update criteria test 170.315(g)(10). Please see the link below for detailed specifications and information on how to apply for API access as a developer.

Web Service API Documentation


© 2026 Region 10 PIHP Powered by Foxbright Download the latest PDF Viewer