Patient access API access guide

Overview

The Patient Access is a secure and public-facing API to make patient membership, coverages, claims, clinical and RX formulary information available. This API requires authentication for any user.

This documentation presumes that anyone accessing the API is familiar with the implementation guides for patient access USCore (hl7.org), HL7.FHIR.US.CARIN-BB\Home - FHIR v4.0.1 and https://build.fhir.org/ig/HL7/davinci-pdex-formulary/.

Third party application developer registration

To gain access to the API developer portal, register third party applications, and request third party application client credentials, developers should first create an API Developer Portal account using Capital Blue Cross - user security - register one (capbluecross.com).

If you are a registered developer, you can login here.

Once the API Developer has an account they can register their Organization and Third Party Application(s) via the API Developer Portal. At the time of registration access to production and/or demo environment can be requested.

Part of the third party application registration process includes requesting client credentials. The OAuth2 Authorization Server / Open ID Connect Provider (AS/OP) provides necessary details for establishing secure communication with the third party application.

Demo/Sandbox environment

At the time an application is registered access to a production and/or demo environment can be requested.

The FHIR base server URL for the live response production environment is: https://patientaccess-api.capbluecross.com/r4. The FHIR base server URL for the demo (e.g. third party application test or sandbox environment) is: https://patientaccess-api-demo.capbluecross.com/r4.

The live response production environment capability statement is available here: https://patientaccess-api.capbluecross.com/r4/metadata. The demo (e.g. third party application test or sandbox environment) capability statement is available here: https://patientaccess-api-demo.capbluecross.com/r4/metadata.

An example of retrieving the live response production environment capability statement is below. Note that the HTTP Accept header is required. This command will download the capability statement into a file named capbluecross-cs-prod.json:

curl -s https://patientaccess-api.capbluecross.com/r4/metadata --header "Accept: application/json" --output capbluecross-cs-prod.json

An example of retrieving the demo (e.g. third party application test or sandbox environment) capability statement is below. Note that the HTTP Accept header is required. This command will download the capability statement into a file named capbluecross-cs-demo.json:

curl -s https://patientaccess-api-demo.capbluecross.com/r4/metadata --header "Accept: application/json" --output capbluecross-cs-demo.json

Our FHIR RESTful capabilities include:

  1. Support the US Core resource profiles – conformance expectation SHALL.
  2. Support the CARIN-BB resource profiles conformance expectation SHALL.
  3. Support the US Drug Formulary resource profiles – conformance expectation SHALL.
  4. Implement the RESTful behavior according to the FHIR specification.
  5. For all the supported search interactions in this guide, support the GET based search only.
  6. Return the following response classes (at a minimum):
    • (Status 400): invalid parameter
    • (Status 401/4xx): unauthorized request
    • (Status 403): insufficient scopes
    • (Status 404): unknown resource
  7. Support JSON source formats for all US Core, CARIN-BB and US Drug Formulary interactions.
  8. Support the search parameters on each profile individually and in combination – conformance expectation SHALL.

Capital supports below capability statements:

Third party applications will need to follow the SMART on FHIR specification, version 1.0.0. Third party applications must be pre-registered in the API Developer portal. This process begins with the creation of an API Developer account. After account creation, the API Developer will be walked through registering their application organization and their third party application. Currently, this Patient Access API implementation only supports patient read resource scopes along with the Smart on FHIR scopes such as launch/patient, fhirUser, openid, etc.

Capital Blue Cross monitors API requests, and request patterns, reserving the right to block IP address(es) if API traffic originating from that address(es) frequently disrupts normal operations of the API or demonstrates patterns of behavior consistent with attempts to attack the systems providing the API.

Resources

Description

CMS Interoperability and Patient Access Final Rule

Interoperability and Patient Access Final Rule (May 1, 2020) Medicare and Medicaid Programs; Patient Protection and Affordable Care Act; Interoperability and Patient Access for Medicare Advantage Organization and Medicaid Managed Care Plans, State Medicaid Agencies, CHIP Agencies and CHIP Managed Care Entities, Issuers of Qualified Health Plans on the Federally-Facilitated Exchanges, and Health Care Providers (85 Fed. Reg. 25510)

21st Century Cures Act

Interoperability, Information Blocking, and the ONC Health IT Certification Program