Patient access is an approach to health information exchange where patients have a way to obtain their claims and clinical records. Patients can also grant others permission to those records electronically.
Patient access means explicit patient choice about who can see their health information and what specific information can be accessed. Patient access works in ways similar to other account-based electronic access methods. Patients use their health plan as an identity provider (IdP) to authenticate and identify themselves.
New APIs are being built using HL7® FHIR® to support electronic patient access in the United States.
Flexpa is the fastest way for your health app or patient journey to connect to new Patient Access APIs.
Our two products, and Flexpa Link, work together to help patients connect their health plan digitally and make accessing health plan data easy. Flexpa API
This guide covers:
- Background on the policy and technical frameworks behind patient access
- What the authorization process looks like for patients
- What health information is available via Patient Access APIs
- Which patients are covered by access
The Patient Access API flow supported by Flexpa is built on top of:
- Legislation (like the 21st Century Cures act)
- Agencies and policies (like CMS 9115 and TEFCA)
- Technical standards and implementations (like FHIR)
A diagram of how patient access flows from legislation into specific technical standards
At the top level, patient access is defined in terms of specific legislation and the actions of Federal agencies.
The 21st Century Cures Act (Cures Act) is a United States law enacted in December 2016. The Cures Act directed federal agencies "to build consensus and develop or support a trusted [health information] exchange framework."
Federal agencies like Centers for Medicare & Medicaid Services (CMS) and Office of the National Coordinator for Health Information Technology (ONC) have developed policies to satisfy the requirements of the Cures Act.
U.S. Department of Health and Human Services (HHS) is a Cabinet-level executive branch department of the U.S. federal government created to protect the health of all Americans and providing essential human services.
The Centers for Medicare & Medicaid Services (CMS) primarily establish national technical standards for health insurance payers because CMS is the federal agency inside of the U.S. Department of Health and Human Services (HHS) responsible for Medicare + health insurance portability.
Office of the National Coordinator for Health Information Technology leads a national health IT effort to establish technical standards to advance the electronic exchange between health care providers.
CMS Patient Access Final Rule
CMS-9115-F, “CMS Patient Access Final Rule” was a final rule dated May 1, 2020 that deals with making insurance + clinical data available to patients via SMART on FHIR (an OAuth 2.0-style authentication layer)
CMS-9115-F requires health plan payers (MA orgs, Medicaid programs, etc.) to produce a standards-based Patient Access API:
We are finalizing with modifications our proposal to require MA organizations, Medicaid and CHIP FFS programs, Medicaid managed care plans, CHIP managed care entities, and QHP issuers on the FFEs to implement and maintain a standards-based Patient Access API.
ONC Cures Act Final Rule
85 FR 25642, “ONC Cures Act Final Rule” was a final rule dated June 30, 2020 that makes SMART on FHIR interoperability capabilities a hard requirement of the ONC EHR certification process.
Trusted Exchange Framework and Common Agreement
87 FR 2800, “TEFCA” is a “trusted exchange framework and common agreement” dated Jan 19, 2022, stemming from directives in the 21st Century Cures Act.
CMS Prior Authorization
CMS-9123-P, “CMS Interoperability and Prior Authorization Proposed Rule” was a proposed rule dated Jan 4, 2021 that deals with streamlining processes related to prior authorization. It proposed expansion to patient access (including prior authorization data), new provider access to payer data at the point of care, and bidirectional exchange supporting electronic prior authorization.
CMS-9123-P was superseded by CMS-0057-P, "CMS Advancing Interoperability and Improving Prior Authorization Processes Proposed Rule" as of Dec 6, 2022, largely promoting the same set of capabilities as the previous proposed rule.
Technical standards and implementations
Policies from federal agencies increasingly often mandate that specific technical standards and implementations be used by participants in health information exchange.
For patient access, the two most important technical standards are:
- FHIR a resource and document format schema and fully featured HTTP API (e.g., ExplanationOfBenefit). Flexpa's API use FHIR version R4.
- USCDI or United States Core Data for Interoperability, a set of common clinical data elements in the United States
Implementation Guides are a FHIR standards process development tool to describe a solution to a healthcare interoperability problem.
The most important Implementation Guides for patient access are:
Patients are directed to via a digital health app, website, or SMS message. Flexpa Link
is an end-to-end patient data request flow for health plan identity providers (IdPs) supporting an account-based flow around their existing member ID. Patients are required to log in with member ID-linked account credentials. Flexpa Link
- Patients are presented instructions on the data access request about to take place
- Patients are informed about the scope of the data access request
- Patients use member ID-based account credentials from health plan IdPs
Payers are the focus of available data sources because the authorization process uses health plan account membership. In getting-started, two categories of health information data is available through Patient Access APIs:
- Claims history and health plan policy details
- Clinical data known to the health plan
Health plans with CMS plans are specifically required to make those two kinds available via Patient Access APIs. That's the basis of Flexpa's API-based support for them:
We are requiring that the Patient Access API must, at a minimum, make available adjudicated claims (including provider remittances and enrollee cost-sharing); encounters with capitated providers; and clinical data, including laboratory results (when maintained by the impacted payer).
Patient data is individually available at those health plans where a patient has been a member or beneficiary currently or in the past. Data is getting-startedly available after 2016 and available within 24 hours of processing of that data by the health plan payer.
The form and format of all available data follows the FHIR standard. FHIR specifies Resources that are basically kinds of data classes.
The complements Flexpa API by exposing a unified FHIR API to retrieve FHIR Resources following a successful patient authorization. The Flexpa API specifically uses Flexpa Linkthe FHIR R4 version.
The following list documents which FHIR Resources are available in the two data categories.
Clinical data known to the health plan is made available through a list of FHIR Profiles in US Core (see Technical standards and implementations above).
Applicable FHIR Resources here include:
Which patients can actually use Patient Access API flows?
Members and beneficiaries of health plans in this list have legally mandated access via CMS Patient Access:
- Medicare Advantage organizations
- Medicaid and CHIP FFS programs
- Medicaid managed care plans
- CHIP managed care entities
- QHP issuers on the FFEs
Flexpa supports CMS Patient Access from a large and growing number of health plan payers, which can be viewed here.