CMS Patient Access API

This page describes the CMS Patient Access API Mandate, why it is a benefit to members, and outlines support channels for issues with sharing member data with 3rd party apps.

API Information for Developers.

The 21st Century Cures Act and the CMS Patient Access API

In December 2016, a bill called the 21st Century Cures Act was signed into law, with several important goals, including improved interoperability between health information systems, and increased patient access to their own health data. This law also empowered the Centers for Medicare & Medicaid Services to create regulations to further this goal, which it did with the creation of the CMS Interoperability and Patient Access final rule (CMS-9115-F). In order to increase patients’ access to their health data, the rule prohibits information blocking and requires health insurance plans to give members access and the ability to share their health plan data via an API endpoint with third-party applications of their choice. The deadline for health plans to comply with this mandate is July 1st, 2021.

What Does This Mean for you?

What this set of regulations means is that your health plan must make available all of your claims and clinical data contained in their systems via an API endpoint, where you can share this data with third-party applications of your choosing. Your health plan has contracted with 1upHealth, an industry leader in healthcare data integrations, and a cutting-edge data standard called FHIR, to give you access and the ability to share your data. When you wish to integrate your healthcare data with 3rd-party applications, such as MyCharts, Apple Health, or FitBit, you will connect through these applications to the 1upHealth platform, where you will confirm your identity to 1upHealth and your health plan by answering a few demographic questions and providing your email that is on file with your health plan. Once your identity is authenticated, your health plan will share your healthcare data with the 3rd-party application you have chosen, through the 1upHealth platform.

Why Share Your Data? Benefits and Risks

There are a host of benefits to this new ability to access and share your data. Some apps allow you to aggregate your data from multiple health systems to create a complete record of your interactions with different doctors and hospitals, and even combine it with data you generate on your own from wearable devices like glucose meters, pedometers, or heart rate monitors. Some other common uses include: prescription drug management, chronic disease management, nutrition tracking, and care coordination. Data sharing empowers you to have greater ownership of and visibility into your health data, and has the potential to improve both your health and the quality of care you receive from the health care system.

As with any interaction over the internet, these tremendous benefits are not without some level of risk. Your health plan takes your privacy and the security of your health information as seriously as you do. That’s why your data will never be shared without your express permission. Your health plan safeguards your data throughout the process of sharing it in several ways, including using challenge questions and multi-factor authentication to confirm you – and no one else – can access and share your data. It is important to understand though, that once your data is shared with a 3rd party application, your health plan is no longer responsible for the security of that data. This is why it is important to read the privacy and security policies for any application you choose to share your data with, to ensure you understand how it is protected and used by that application.

How to Report Identity Theft and Fraud

If you believe an application that you’ve shared your data with is misusing that information in violation of their stated privacy policy, contact the Federal Trade Commission to investigate the matter by going to ReportFraud.ftc.gov or calling (877)-382-4357.

If you believe the privacy of your health care data has been violated, contact the federal Department of Health and Human Services Office of Civil Rights at: www.hhs.gov/ocr/complaints.