Voluntary code of conduct developed by more than 60 industry stakeholders can help facilitate health data exchange with entities not covered by HIPAA

The CARIN Alliance, a multi-sector group of health care and other stakeholders, has developed a voluntary code of conduct for entities not covered by HIPAA, such as third-party applications, when handling health care data accessed via application programming interfaces (APIs)

Washington, D.C., NOVEMBER 27 — The CARIN Alliance, a multi-sector group of more than sixty health care and other stakeholders managed by Leavitt Partners, has released the CARIN code of conduct for how entities not covered by the Health Insurance Portability Accountability Act (HIPAA), such as third-party applications, can voluntarily handle health care data on behalf of consumers. For the first time, health care organizations and other organizations can have an enforceable code of conduct for third-party applications not covered by HIPAA to self-attest to in order to access health care data on behalf of consumers.

Supportive of recent legislative statutes, such as the 21st Century Cures Act, and ongoing regulatory measures, application programming interfaces (APIs) are being implemented by health care organizations across the country to allow consumers to access their health information on a third-party application of their choice. When personally identifiable health information is shared with applications, that information is considered consumer data and falls outside of the industry’s current privacy and security practices under HIPAA. The CARIN code of conduct addresses how health care data should be handled by consumer-facing applications under Section 5(a) of the Federal Trade Commission Act, which encourages industry to develop consensus for what is meant by “unfair or deceptive acts or practices”.

The CARIN code of conduct is based on a central theme – third-party applications need to ensure consumers, or their authorized caregivers, provide informed, proactive consent for how their health care data is collected, used, and shared, giving consumers complete access and control over the use of their health care data by entities not covered by HIPAA. As part of the CARIN code of conduct’s implementation, the CARIN Alliance is working with industry organizations and other consumer platform companies to encourage them to adopt the CARIN code of conduct as part of the consumer-facing application’s registration and onboarding process.

“The CARIN code of conduct is an effective first step to ensure consumer’s data sharing preferences are the foundation for how electronic data exchange will occur between entities not covered by HIPAA,” said Governor Mike Leavitt, founder of Leavitt Partners.

Aneesh Chopra, President of CareJourney and former U.S. Chief Technology Officer under President Obama said, “A consumer’s right to access his or her health information and to share it with the applications or services one trusts is critical to realizing the benefits of value-based care delivery. It’s been a pleasure to work with Governor Leavitt and the multi-stakeholder membership of the CARIN Alliance in drafting this code of conduct. I’m confident the CARIN code of conduct will enable more trusted consumer-directed exchange via open APIs and 3rd party applications and am excited to build on this progress with the CARIN Alliance to release more data to consumers with less friction in 2019!”

Ryan Howells, a principal at Leavitt Partners who helps lead the work of the CARIN Alliance said, “We are incredibly grateful for the input of the CARIN board, members, and participants who have engaged in robust dialogue for a number of months on this important milestone. We look forward to receiving stakeholder feedback on our website and working with industry to operationalize the CARIN code of conduct in the months ahead. The CARIN Alliance believe this helps lay the foundation for us to work with industry to release more health care data to consumers using Application Programming Interfaces (APIs) in 2019 and beyond.”

The CARIN Alliance welcomes and encourages industry feedback on this initial draft CARIN code of conduct from consumers, caregivers, and industry stakeholders which will help inform later versions. To read and comment on the CARIN code of conduct, visit

Below are quotes from health care industry leaders expressing their support for the CARIN code of conduct.

Consumers and Caregivers

Katie Martin, Vice President of Health Policy and Programs for the National Partnership for Women and Families said, “Given women’s role as health decision makers and care coordinators, it is critical we help them harness the power of digital health tools to manage their own care and their loved ones’ health. We support consumers’ ability to securely access their health information using the mobile health application of their choice. The CARIN code of conduct will help consumers understand how applications use and share their health information, and ultimately make it easier to choose an application that meets their preferences.”

“It is vitally important that consumers and their authorized caregivers can access their health care information using the application of their choice. The CARIN code of conduct will help lay the foundation for how these applications will use and protect consumers’ health information outside of HIPAA and provide all of us with better piece of mind that our data is being used based on our personal preferences,” said John Schall, CEO of Caregiver Action Network.

Collaborative Entities and Information Networks

“Carequality believes strongly in collaboration across the industry, and in not duplicating work done by others.  We’re eager to evaluate the CARIN code of conduct within our community, to see if we can adopt it within the Carequality Interoperability Framework to advance consumer access to health records,” said Dave Cassell, Executive Director of Carequality.

Micky Tripathi, CEO of Massachusetts eHealth Collaborative and manager of The Argonaut Project commented, “The rapid adoption of FHIR-based APIs is opening the floodgates for patients to manage their own health information, which is truly exciting. However, our policy infrastructure hasn’t caught up with these technology advancements. Patients need to understand that HIPAA does not protect their data once it is in their hands. The CARIN code of conduct fills an important gap by educating patients on what is at risk and establishing industry responsibility for protection of patient data.”

Teresa Rivera, CEO of the Utah Health Information Network (UHIN) said, “UHIN, as a Health Information Exchange, understands the value of aggregating data from disparate health care entities for providers, hospitals, care managers and especially the patient and their caregivers. We also understand the importance of privacy and security. Therefore, we applaud the CARIN Alliance’s work to ensure the privacy and security of the patient’s data in applications that are not governed by HIPAA. UHIN’s MYONECHART, a patient’s view of their aggregated data, meets the criteria of the CARIN code of conduct.  We look forward to furthering patient access via consumer directed exchange.”

The Future of Privacy Forum’s Carson Martinez said, “As personal health information is transferred from hospitals and providers to patients through third-party applications, it is crucial to maintain strong privacy safeguards. Patients need straightforward ways to control and protect their health data. Widespread adoption of consistent notices and controls would help establish trust in consumer-directed exchange.”

Lonnie Rae, CEO of Medal, Inc, said, “Medal is proud of our collaboration with the CARIN alliance and of this step forward together. Medal believes this is an important moment on the path to creating internet-like connectivity in healthcare, where it will eventually be possible to simply sign on and securely view relevant permission-based medical information. The time for a solution is now — each year that passes over a quarter of a million Americans die of medical error including medication interactions, missed diagnosis and delayed diagnosis — many of these tragedies are preventable. It’s why we built Medal – an infrastructure layer that easily extracts and processes data from these sources and formats where critical health information is often trapped and transforms unstructured data into a patient narrative that is useful to providers, patients, and members across a spectrum of care. Medal is committed to thoughtful and patient-centered progress in our industry.

Personally, I have undergone training as a clinician and I have survived and lived well after being hit by a bus and all that that has entailed. For me, personally, I thank the CARIN Alliance for their persistence and patience so that individuals, their families, and their care teams may no longer struggle with the physical binders, virtual folders of PDFs, and incomplete clinical records that lead to the heartache of seeing or being a new patient and having to write page 3,001 of a medical record with no access to or way to effectively use the prior 3,000 pages.”

“Medfusion supports the guiding principles of the CARIN code of conduct and believes that consumers should be empowered to make informed choices. As we connect hundreds of thousands of users to their data each week, we appreciate the involvement of all organizations similarly focused on this effort. Our network of health systems and providers allow patients to retrieve, aggregate, and share their health records as they see fit in a trusted environment across any device which helps make better and more informed patients and physicians,” commented Ryan Magnes, EVP Growth and Innovation at Medfusion.

Former Regulators

Deven McGraw, former Deputy Director for Health Information Privacy at the Department of Health and Human Services Office for Civil Rights and current General Counsel and Chief Regulatory Officer of Ciitizen said, “The HIPAA Privacy Rule’s individual right of access has long been an empty promise because patients face a long, burdensome and often costly process to get their health records.  APIs can be game changer by enabling individuals, through online applications or services, to easily get their health data, use it, and share it consistent with their needs and values.  But concerns about whether these applications, most of which are not covered by HIPAA, will protect the privacy and security of user’s health information threaten to place more obstacles between patients and their health data.  The CARIN code of conduct, which is enforceable by the FTC against commercial entities who pledge to adhere to it, could go a long way to removing those obstacles.”

Application Vendors

“The ability for patients to gather, aggregate, manage and share their health records will have a dramatic impact on healthcare. Patients should have full assurance their data is safe and not being used in any way without their permission. I’m happy to place MyLinks® among the list of consumer-facing health applications who will use the CARIN code of conduct to protect and inform our users,” said Debi Willis, CEO of PatientLink.

“Consumers want to be more empowered when it comes to their health.  The regulatory changes enabling health information access via APIs through mobile health (mHealth) empower consumers to manage their health and care in new personalized ways.  To succeed in mHealth, companies need to build trust by implementing ethical practices for data collection and use,” said Kristen Valdes, Founder and CEO of b.well Connected Health. “The CARIN code of conduct is a great tool for consumers to identify companies committed to privacy and the appropriate use of health data. As a consumer facing mHealth platform, b.well Connected Health strongly supports and will follow the CARIN code of conduct for all of our users.”

Doug Hirsch, co-CEO of GoodRx says, “Americans are savvy consumers, when they understand their options. People should be able to understand what they’re being asked to pay for their medications before they get to a pharmacy or a hospital. The CARIN code of conduct provides a clear and forthright way to help consumers be fully informed and ensure that their data is being protected every step of the way.”

“Consumer trust is CareEvolution’s lifeblood as a consumer health application publisher. CareEvolution exists to help patients, their families and caregivers gain access and control of their health information, so they can better manage their health.   We have relied on the CARIN code of conduct to guide not only our privacy practices and terms of use but our entire relationship with consumers,” said Dr. Vik Kheterpal of CareEvolution, Inc. “We believe this is a key reason why our application myFHR™ is one of the very first applications approved by CMS to access the BlueButton 2.0 data on behalf of the 54 million Medicare beneficiaries,” continued Kheterpal.


Dr. Frank Opelka, MD, FACS, medical director for quality and health policy at the American College of Surgeons applauds the CARIN Alliance for its code of conduct and its commitment to securing and protecting patient information. “Ever increasing efforts to enhance health and healthcare through digital services calls for shared knowledge through data exchanges which may extend outside the protections of HIPAA.  We support and encourage surgeons to engage patients in a trusted patient information environment using the voluntary framework found in the CARIN code of conduct. Our commitment to surgical patients’ care and their privacy extends to every aspect of their care.”

Cheryl Lulias, President and Executive Director at Medical Home Network and CEO of the Medical Home Network ACO which was the first Medicaid ACO in Illinois said, “Medical Home Network’s mission is to leverage the power of information to drive better care in the safety net.  The CARIN code of conduct is a critically important step toward ensuring the most vulnerable members of our society (and their caregivers) have access to technologies that serve them well.  We’re pleased to support the CARIN code of conduct as a balanced, thoughtful approach that will streamline access and — in many ways — go well beyond HIPAA in protecting the rights of individuals.”

Dr. Susan L. Turney, MD, MS, FACMPE, FACP, Marshfield Clinic Health System’s CEO said, “As one of the nation’s largest rural integrated health systems serving Wisconsin with 1,200 providers and more than 3.5 million patient encounters each year, the Marshfield Clinic Health System is committed to empowering our patients with the health care information they need to make informed decisions on behalf of themselves and their families. We are looking forward to implementing solutions that abide with the CARIN Code of Conduct to help protect patient health information and ensure data sharing is based on the patient’s data sharing preferences. Patient-directed data exchange will help to meaningfully advance the ability for patients to become more informed, shared decision makers with their providers in the care decisions they make together.”

Health Plans

“Now more than ever, people are demanding access to their health care data and our role is to deliver while ensuring their personal data remains safe and secure when accessed through a third-party application,” says Laurent Rotival, CARIN board member and Cambia Health Solutions CIO and SVP of Strategic Technology Solutions. “This foundational document is the result of collaboration across multiple sectors with a shared vision in mind; to put consumers first, give them control over their personal information and make sure their data is safe.”

“As health insurer to one in three Americans, we believe all patients should be able to access their own health information whenever and wherever they need it,” said Kari Hedges, senior vice president, commercial markets and enterprise data solutions for Blue Cross Blue Shield Association. “Developing a secure way to empower patients and their families through the use of the latest technologies and third-party applications, as the CARIN code of conduct seeks to achieve, is an important piece of the puzzle in transforming how health and health care is accessed and delivered.  We look forward to further collaborations with our private and public sector partners in our mission to put patients at the center of their care while also encouraging health care that is more coordinated, higher quality and more affordable.”

About the CARIN Alliance

The CARIN Alliance is a non-partisan, multi-sector alliance led by distinguished risk-bearing providers, payers, consumers, electronic health record vendors, pharmaceutical companies, consumer platform companies, digital health companies, and consumer-advocates who are working collaboratively with other stakeholders in government to overcome barriers in advancing consumer-directed exchange across the U.S. The CARIN Alliance vision is to rapidly advance the ability for consumers and their authorized caregivers to easily get, use, and share their digital health information when, where, and how they want to achieve their goals. For more information, please visit or @carinalliance on Twitter.