Interoperability and Data API Information
Thank you for your interest in Marin County - Behavioral Health and Recovery Services interoperability capabilities and FHIR APIs. In accordance with the CMS Interoperability Rule - Patient Access Final Rule and Prior Authorization Final Rule, Medicaid FFS programs, CHIP FFS programs, Medicaid Managed Care Plans, CHIP Managed Care Entities, and DHCS Behavioral Health Information Notice 23-032, BHRS has collaborated with CalMHSA to provide third-party API connections through CalMHSA Connex. CalMHSA Connex is County Behavioral Health focused Health Information Exchange.
For more information, or to request access to Marin County - BHRS interoperability and FHIR APIs, please visit CalMHSA Connex APIs - California Mental Health Services Authority or by typing https://www.calmhsa.org/interoperability-api/ into your web browser.
For more information on Marin County - BHRS Provider Directory API please visit Swagger UI (ehn-prod.net) or by typing https://fhir-calmhsa-provider.ehn-prod.net/fhir/swagger-ui/?page=Location into your browser.
Member Educational Resources
Privacy and Security
Steps You May Consider Taking to Help Protect Privacy and Security of Health Information:
Marin BHRS takes the following steps to protect the privacy and security of health information:
- Compliance to privacy and data sharing guideline measures set forth by DHCS, federal, and state governing bodies
- Regularly set audits for controls of data and privacy by governing boards and independent auditors
- Secure internal health data, HIPAA-compliant vendor communications, and multifactor authentication
- Multiple tiers of software security monitoring and required vendor security software assessments/clearances
- Disaster and data loss recovery plans regularly reviewed and audited
- Employ secure network communication protocols
Understanding the Security and Privacy Practices of any Application to which you Entrust your Health Information:
A publicly accessible link to educational resources is provided to ensure members understand how to protect the privacy and security of their health information. The following are a list of health organization standards that third party Health apps must meet and subscribers must understand in signing up for access to these apps:
- The importance of understanding the privacy practices of third-party applications: https://www.cms.gov/files/document/patient-privacy-and-security-resources.pdf
- Oversight by the Federal Trade Commission (FTC) on third party and mobile health app as well as access to submit complaints (see Oversight section below): https://www.ftc.gov/business-guidance/resources/mobile-health-apps-interactive-tool
- Health and Human Services Third Party App API member access rights and compliance: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access-right-health-apps-apis/index.html
General HIPAA-Covered Entities, Non-entities and Oversight Agencies
HIPAA (Health Insurance Portability and Accountability Act) covers entities that handle protected health information (PHI). More information can be found at: https://www.hhs.gov/hipaa/for-individuals/guidance-materials-for-consumers/index.html
Covered entities include:
1. Healthcare Providers (if they transmit health information electronically):
- Hospitals
- Doctors’ offices
- Clinics
- Dentists
- Psychologists
- Chiropractors
- Nursing homes
- Pharmacies
2. Health Plans:
- Health insurance companies
- HMOs (Health Maintenance Organizations) • Employer-sponsored health plans • Medicare and Medicaid programs
3. Healthcare Clearinghouses:
- Entities that process nonstandard health information into a standard format (such as billing services and re-pricing companies).
4. Business Associates (organizations that handle health information on behalf of covered entities):
- Third-party administrators
- IT service providers (for health information systems)
- Billing companies
- Legal and accounting firms (if they have access to health information)
Entities or individuals that generally are not covered by HIPAA include:
1. Employers: (not providing healthcare services or self-insured plans):
- Businesses that only handle employee health information for employment-related reasons (e.g., sick leave or FMLA forms) are not considered covered entities.
2. Life Insurance Companies:
- Life insurers are not covered entities because they do not provide healthcare or process health information for healthcare purposes.
3. Workers’ Compensation Carriers:
- These entities handle work-related injury claims but are not considered health plans under HIPAA.
4. Schools:
- Schools (unless they employ a healthcare provider and transmit health information electronically) are generally not covered entities.
5. Personal Health App Developers:
- Apps for personal fitness tracking (e.g., Fitbit, Apple Health) that are not linked to healthcare providers or health plans are not covered entities.
6. Research Institutions: (without healthcare provider roles):
- Institutions that do not provide treatment or billing for healthcare services typically do not fall under HIPAA.
7. Non-Healthcare Providers:
- Gyms, alternative medicine providers (unless they bill electronically), and employers’ onsite medical clinics generally are not covered unless they meet the specific HIPAA covered criteria.
Oversight Responsibilities:
- Office for Civil Rights (OCR): Part of the U.S. Department of Health and Human Services (HHS), OCR enforces HIPAA privacy and security rules for covered entities. It investigates complaints and conducts audits to ensure compliance.
- Federal Trade Commission (FTC): The FTC plays a role in enforcing privacy and security standards for non-HIPAA-covered entities, such as mobile health apps and health-related websites. It promotes consumer protection and addresses deceptive or unfair practices.
How to Submit Complaints:
Office of Civil Rights (OCR): If you believe that a HIPAA-covered entity or its business associate violated your (or someone else’s) health information privacy rights or committed another violation of the Privacy, Security, or Breach Notification Rules, you may file a complaint with OCR.
- To file a complaint online with OCR using the OCR complaint portal visit https://ocrportal.hhs.gov/ocr/smartscreen/main.jsf. To learn more about filling a complaint with OCR under HIPAA, visit: https://www.hhs.gov/hipaa/filing-a-complaint/index.html
- If you have any questions or need help filing a civil rights, conscience or religious freedom, or health information privacy complaint, you may email OCR at OCRMail@hhs.gov or call the U.S. Department of Health and Human Services, Office for Civil Rights toll-free at 1-800-368-1019, TDD: 1-800-537-7697.
- Mail: Send a written complaint to the appropriate regional OCR office.
Federal Trade Commission (FTC): To file a complaint for non-HIPAA covered entities, visit the FTC complaint assistant at
- Visit the FTC website and use the Complaint Assistant tool: https://reportfraud.ftc.gov/
- If you are unable to use the online tool, you can call the FTC’s Consumer Resource Center at 1-877-382-4357.
In both cases, providing detailed information about the incident will help the agencies investigate and address the complaint effectively. Keep in mind that the OCR and FTC work collaboratively to ensure comprehensive oversight and protection of health information privacy.