Patient access is an approach to health information exchange where patients have a way to obtain their claims and clinical records. Patients can also grant others permission to those records electronically.
Patient access means explicit patient choice about who can see their health information and what specific information can be accessed. Patient access works in ways similar to other account-based electronic access methods. Patients use their health plan as an identity provider (IdP) to authenticate and identify themselves.
New APIs are being built using HL7® FHIR® to support electronic patient access in the United States.
Flexpa is the fastest way for your health app or patient journey to connect to new Patient Access APIs.
Our two products, and Flexpa Link, work together to help patients connect their health plan digitally and make accessing health plan data easy. Flexpa API
This guide covers:
- Background on the policy and technical frameworks behind patient access
- What the authorization process looks like for patients
- What health information is available via Patient Access APIs
- Which patients are covered by access
The Patient Access API flow supported by Flexpa is built on top of:
- Legislation (like the 21st Century Cures act)
- Agencies and policies (like CMS 9115 and TEFCA)
- Technical standards and implementations (like FHIR)
A diagram of how patient access flows from legislation into specific technical standards
At the top level, patient access is defined in terms of specific legislation and the actions of federal agencies.
The 21st Century Cures Act (Cures Act) is a United States law enacted in December 2016. The Cures Act directed federal agencies "to build consensus and develop or support a trusted [health information] exchange framework."
In addition to federal regulation of health technology, state regulatory bodies are also starting to require patient access.
Federal agencies like Centers for Medicare & Medicaid Services (CMS) and Office of the National Coordinator for Health Information Technology (ONC) have developed policies to satisfy the requirements of the Cures Act.
U.S. Department of Health and Human Services (HHS) is a Cabinet-level executive branch department of the U.S. federal government created to protect the health of all Americans and providing essential human services.
The Centers for Medicare & Medicaid Services (CMS) primarily establish national technical standards for health insurance payers because CMS is the federal agency inside of the U.S. Department of Health and Human Services (HHS) responsible for Medicare + health insurance portability.
Office of the National Coordinator for Health Information Technology leads a national health IT effort to establish technical standards to advance the electronic exchange between health care providers.
#Health Insurance Portability and Accountability Act (HIPAA)
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a United States legislation that provides data privacy and security provisions for safeguarding medical information. The key elements of HIPAA cover both the privacy and security of patients' health information, particularly when handled by certain health care entities such as insurance providers and healthcare providers.
HIPAA is relevant to patient access because it governs how personal health information can be shared and with whom. Any solutions implementing patient access, including APIs, must comply with HIPAA regulations to ensure that sensitive patient information is appropriately safeguarded, disclosed, and used.
Flexpa ensures that its products and Flexpa Link comply with all relevant aspects of HIPAA, providing a secure platform for patients to access their health information while maintaining their privacy rights. Flexpa API
It is crucial to note that HIPAA also outlines the provisions for patients to have access to their health information. This facilitates the "right of access" for patients, an essential principle that underlies patient access and APIs designed for this purpose.
Flexpa facilitates this with the explicit consent of the patient. In the Patient Access APIs workflow, patients directly consent to share specific health information with authorized parties.
#CMS Patient Access Final Rule
CMS-9115-F, “CMS Patient Access Final Rule” was a final rule dated May 1, 2020 that deals with making insurance + clinical data available to patients via SMART on FHIR (an OAuth 2.0-style authentication layer)
CMS-9115-F requires health plan payers (MA orgs, Medicaid programs, etc.) to produce a standards-based Patient Access API:
We are finalizing with modifications our proposal to require MA organizations, Medicaid and CHIP FFS programs, Medicaid managed care plans, CHIP managed care entities, and QHP issuers on the FFEs to implement and maintain a standards-based Patient Access API.
#ONC Cures Act Final Rule
85 FR 25642, “ONC Cures Act Final Rule” was a final rule dated June 30, 2020 that makes SMART on FHIR interoperability capabilities a hard requirement of the ONC EHR certification process.
#Trusted Exchange Framework and Common Agreement
87 FR 2800, “TEFCA” is a “trusted exchange framework and common agreement” dated Jan 19, 2022, stemming from directives in the 21st Century Cures Act.
#CMS Prior Authorization
CMS-9123-P, “CMS Interoperability and Prior Authorization Proposed Rule” was a proposed rule dated Jan 4, 2021 that deals with streamlining processes related to prior authorization. It proposed expansion to patient access (including prior authorization data), new provider access to payer data at the point of care, and bidirectional exchange supporting electronic prior authorization.
CMS-9123-P was superseded by CMS-0057-P, "CMS Advancing Interoperability and Improving Prior Authorization Processes Proposed Rule" as of Dec 6, 2022, largely promoting the same set of capabilities as the previous proposed rule.
California SB-1419 requires health care service plans and health insurers to establish and maintain specified application programming interfaces (API) for the access and exchange of health data and plan information, as required by federal regulations.
This mandate will take effect on January 1, 2024, and failure to comply would result in a willful violation of the law, which is a crime. The bill imposes a state-mandated local program that extends the CMS-9115 regulation to include plan types that the CMS could not regulate, such as state based exchanges and traditional employer sponsored plans.
#Technical standards and implementations
Policies from federal agencies increasingly often mandate that specific technical standards and implementations be used by participants in health information exchange.
For patient access, the two most important technical standards are:
- FHIR a resource and document format schema and fully featured HTTP API (e.g., ExplanationOfBenefit). Flexpa's API use FHIR version R4.
- USCDI or United States Core Data for Interoperability, a set of common clinical data elements in the United States
Implementation Guides are a FHIR standards process development tool to describe a solution to a healthcare interoperability problem.
The most important Implementation Guides for patient access are:
Patients are directed to via a digital health app, website, or SMS message. Flexpa Link
is an end-to-end patient data request flow for health plan identity providers (IdPs) supporting an account-based flow around their existing member ID. Patients are required to log in with member ID-linked account credentials. Flexpa Link
- Patients are presented instructions on the data access request about to take place
- Patients are informed about the scope of the data access request
- Patients use member ID-based account credentials from health plan IdPs
Payers are the focus of available data sources because the authorization process uses health plan account membership. In getting-started, two categories of health information data is available through Patient Access APIs:
- Claims history and health plan policy details
- Clinical data known to the health plan
Health plans with CMS plans are specifically required to make those two kinds available via Patient Access APIs. That's the basis of Flexpa's API-based support for them:
We are requiring that the Patient Access API must, at a minimum, make available adjudicated claims (including provider remittances and enrollee cost-sharing); encounters with capitated providers; and clinical data, including laboratory results (when maintained by the impacted payer).
Patient data is individually available at those health plans where a patient has been a member or beneficiary currently or in the past. Data is getting-startedly available after 2016 and available within 24 hours of processing of that data by the health plan payer.
The form and format of all available data follows the FHIR standard. FHIR specifies Resources that are basically kinds of data classes.
The complements Flexpa API by exposing a unified FHIR API to retrieve FHIR Resources following a successful patient authorization. The Flexpa API specifically uses Flexpa Linkthe FHIR R4 version.
The following list documents which FHIR Resources are available in the two data categories.
Clinical data known to the health plan is made available through a list of FHIR Profiles in US Core (see Technical standards and implementations above).
Applicable FHIR Resources here include:
Which patients can actually use Patient Access API flows?
Members and beneficiaries of health plans in this list have legally mandated access via CMS Patient Access:
- Medicare Advantage organizations
- Medicaid and CHIP FFS programs
- Medicaid managed care plans
- CHIP managed care entities
- QHP issuers on the FFEs
Flexpa supports CMS Patient Access from a large and growing number of health plan payers, which can be viewed here.