Patient access is an approach to health information exchange where patients have a way to access their electronic medical records and can permit others access to those records electronically.
Patient access means explicit patient choice about who can access their health information and what information can be accessed. Patient access works in ways similar to other account-based electronic access methods. Patients use their health plan as an identity provider (IdP) to authenticate and identify themselves.
New APIs are being built using HL7® FHIR® to support electronic patient access in the United States. Flexpa helps developers use them.
This guide from Flexpa on patient access covers:
- A background on the policy and technical frameworks behind patient access
- What the authorization process looks like for patients
- What health information is available via patient access APIs
- Which patients are covered by access
The patient access API flow supported by Flexpa is built on top of:
- Legislation (like the 21st Century Cures act)
- Agencies and policies (like CMS 9115 and TEFCA)
- Technical standards and implementations (like FHIR)
What are these and how do they connect to each other?
A diagram of how Patient Access flows from legislation into specific technical standards
At the top level, patient access is defined in terms of specific legislation and the actions of Federal agencies.
The 21st Century Cures Act (Cures Act) is a United States law that was enacted in December 2016. The Cures Act directed federal agencies "to build consensus and develop or support a trusted [health information] exchange framework."
Agencies and policies
Federal agencies like Centers for Medicare & Medicaid Services (CMS) and Office of the National Coordinator for Health Information Technology (ONC) have developed policies to satisfy the requirements of the Cures Act.
CMS primarily establishes national technical standards for health insurance payers because CMS is the federal agency inside of the U.S. Department of Health and Human Services (HHS) responsible for Medicare + health insurance portability.
ONC leads a national health IT effort to establish technical standards to advance the electronic exchange between health care providers.
CMS Patient Access Final Rule
CMS-9115-F - “CMS Patient Access Final Rule” was a final rule dated May 1, 2020 that deals with making insurance + clinical data available to patients via SMART on FHIR (an OAuth 2.0-style authentication layer)
CMS-9115-F requires health plan payers (MA orgs, Medicaid programs, etc) to produce a standards based patient access API:
We are finalizing with modifications our proposal to require MA organizations, Medicaid and CHIP FFS programs, Medicaid managed care plans, CHIP managed care entities, and QHP issuers on the FFEs to implement and maintain a standards-based Patient Access API.
87 FR 2800 - “TEFCA” is a “trusted exchange framework and common agreement” dated Jan 19, 2022
Other emerging policies include:
CMS Prior Auth
CMS-9123-P - “CMS Prior Auth” was a proposed rule dated Jan 4, 2021 that deals with streamlining processes related to prior authorization
ONC Cures Act Final Rule
85 FR 25642 - “ONC Cures Act Final Rule” was a final rule dated June 30, 2020 that makes SMART on FHIR interoperability capabilities a hard requirement of the ONC EHR certification process
Technical standards and implementations
Policies from federal agencies increasingly often mandate that specific technical standards and implementations be used by participants in health information exchange.
For patient access, the two most important technical standards are:
- FHIR a resource / document format schema and fully featured HTTP API (see for example ExplanationOfBenefit). Flexpa's API use FHIR version R4.
- USCDI or United States Core Data for Interoperability - a set of common clinical data elements in the United States
Implementation Guides are a FHIR standards process development tool to describe a solution to a healthcare interoperability problem.
The most important Implementation Guides for patient access are:
Patients are directed to via a digital health app, website, or SMS message. Flexpa Link
is an end-to-end patient data request flow for health plan identity providers (IdPs) supporting an account-based flow around their existing member ID. Patients are required to log in with member ID-linked account credentials. Flexpa Link
- Patients are presented instructions on the data access request about to take place
- Patients are informed about the scope of the data access request
- Patients use member ID-based account credentials from health plan IdPs
Payers are the focus of available data sources because the authorization process uses health plan account membership. In getting-started, there are two categories of health information data available through patient access APIs:
- Claims history and health plan policy details
- Clinical data known to the health plan
Health plans with CMS plans are specifically required to make those two kinds available via patient access APIs. That's the basis of Flexpa's API-based support for them:
We are requiring that the Patient Access API must, at a minimum, make available adjudicated claims (including provider remittances and enrollee cost-sharing); encounters with capitated providers; and clinical data, including laboratory results (when maintained by the impacted payer).
Patient data is individually available at those health plans where a patient has been a member or beneficiary currently or in the past. Data is getting-startedly available after 2016 and available within 24 hours of processing of that data by the health plan payer.
The form and format of all available data follows the FHIR standard. FHIR specifies Resources that are basically kinds of data classes.
The complements Flexpa API by exposing a unified FHIR API to retrieve FHIR Resources following a successful patient authorization. The Flexpa API specifically uses Flexpa Linkthe FHIR R4 version
The following list documents which FHIR Resources are available in the two data categories.
Clinical data known to the health plan is made available through a list of FHIR Profiles in US Core (see Technical standards and implementations above).
Applicable FHIR resources here include:
Which patients can actually use patient access API flows?
Members and beneficiaries of health plans in this list have legally mandated access via CMS Patient Access:
- Medicare Advantage organizations
- Medicaid and CHIP FFS programs
- Medicaid managed care plans
- CHIP managed care entities
- QHP issuers on the FFEs
Flexpa supports CMS Patient Access from a large and growing number of health plan payers, which can be viewed here
Flexpa is the fastest way for your health app or patient journey to connect to new patient access APIs.
Our two products, and Flexpa Link, work together to help patients link their health plan digitally and make accessing health plan data easy. Flexpa API
- Adding to your app lets patients link their health plan in one step. Flexpa Link
- is used to search and retrieve health information belonging to a linked health plan Flexpa API
Talk to us about patient access or try our quickstart.