Accessing Your Health Information

Excellus BlueCross BlueShield (BCBS) would like to provide you with some new information about the “Patient Access Application Programming Interface” (API). This information is for members with Medicare Advantage, Medicaid Managed Care, Child Health Plus or Health and Recovery Plans (HARP).

In January 2021, healthcare providers and health plans will bring changes that give you more access to your health information. This will happen over time; the required date for the changes is July 2021.

This new requirement gives a member (“you”) the choice of using a third-party application (app) to access your health information.  PLEASE NOTE: “third-party app” or “app” in this notice is different than the Excellus BCBS mobile app.

What do I need to do?

The privacy of your health information is important to us. You may want to think about these questions if you’d like to use a third-party app:

No. If you don’t want to use an app, there’s nothing you need to do.

The API is how information is collected from Excellus BCBS and securely transferred to the app you choose.

  1. As a member, you can download an app to get your health information
  2. You give the app permission to access your information from Excellus BCBS
  3. The app contacts Excellus BCBS for your health information
  4. Excellus BCBS releases your information to the app

It will include member information from most of our plans since January 1, 2016.

  • Claims and information from appointments with your healthcare providers
  • Information collected in providing healthcare coordination

Please note that this may include information about treatment for substance use disorders, mental health treatment, HIV status or other sensitive health information.

The app is not required to follow HIPAA rules and other privacy laws. However, the app should have a privacy policy which describes how they will use, release and possibly sell your information. If you decide to use an app, you’ll want to review their privacy policy. Make sure you’re comfortable with what the app will do with your information.

  • Will this app sell my information?
  • Will the app give my information to third parties for research or advertising?
  • How will the app use my information?
  • Will the app let me control how my information is used?
  • What happens when I no longer want to use the app? Will it be hard to stop their access? What are the steps to do that?
  • What’s the app’s policy for deleting my information once I stop giving permission? Can I just delete the app?
  • How will I know if there is a change in the app’s privacy practices?
  • How does the app protect my information?
  • Will sharing my information with this app affect others, such as my family members?
  • Will the app let me correct mistakes I find in my information?
  • How do I make a complaint?

If the app’s privacy policy doesn’t answer these questions, you may want to reconsider using it. Choose your app carefully.

  • We will not give your health information to an app without your permission. Your privacy is important to us.
  • We are not able to review or control how the app may use your information. We can’t require that an app have a privacy policy, but we do encourage you to review how your information will be protected before you give permission.

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) enforces the HIPAA Privacy, Security, and Breach Notification Rules. Excellus BCBS, most health care providers, such as hospitals, doctors, clinics, and dentists must follow HIPAA regulations.

You can find more information about HIPAA here:

To learn more about making a complaint with OCR related to HIPAA requirements, visit: .

If you’d like to make a formal complaint with Excellus BCBS about your privacy rights, please print and complete the form found here: Health Care Privacy Complaint formOpens a PDF. If you don’t have internet access, please call the number on the back of your member card. We can mail you a form.

For complaints about apps and privacy:
An app that publishes a privacy notice must follow those terms. Apps don’t have to follow other privacy laws, like HIPAA, but the Federal Trade Commission Act protects against wrongful use of private information.

An app that does not follow FTC rules can be punished. You can read more about privacy information here:

If you think an app inappropriately used your information, you may file a complaint with the FTC

Excellus BlueCross BlueShield is an HMO plan and PPO plan with a Medicare contract. Enrollment in Excellus BlueCross BlueShield depends on contract renewal. Submit a complaint about your Medicare plan at or learn about filing a complaint by contacting the Medicare Ombudsman. Y0028_9775_C.

This page last updated 10-01-2023.


GDPR Notification Content