Usage patterns
Understanding your data needs is an important part of leveraging Flexpa for your use case. Do you need patient data only one time, upon authorization? Or do you need ongoing access to a patient's data?
For instance, if you're developing a patient onboarding experience and need their claims history only at that moment, one-time usage would suffice.
However, if you require continuous access, such as a clinical research organization monitoring regular intervals during a study, or an ICHRA or plan administrator ensuring regulatory compliance, multiple usage is the optimal choice. This allows ongoing access to a patient's data without requiring re-authorization each time.
Either way, Flexpa has you covered. During the FlexpaLink.create step you will pass a required usage parameter depending on your desired access timeline. Let's break down each flow, starting with one-time usage.
#One Time Usage
If your application only needs to access a patient's data within 24 hours of authorization, you would select ONE_TIME usage during FlexpaLink creation.
You will receive a non-refreshable access token that's valid for 24 hours. After the access token expires, Flexpa expunges the patient's data. If you want to access that patient's data again, the patient will need to re-authorize through Flexpa Consent.
To use the one-time usage flow:
- First, pass the
ONE_TIME string to the usage parameter during FlexpaLink.create.
- Once the patient completes the Flexpa Link flow, you will receive a public token.
- Exchange the public token for an
access_token during the exchange step.
Note: You will not receive a refresh_token during the exchange step as you would with multiple usage.
- The
access_token is valid for 24 hours and can be used to make unlimited FHIR resource requests for that patient from the Flexpa API.
- Once the
access_token expires, Flexpa expunges the patient's data, and you will no longer be able to make FHIR resource requests to the Flexpa API for that patient.
#Multiple Usage
If you would like your app to have access to refreshed patient data over time, multiple usage is your solution.
The original patient authorization will be kept valid for as long as the network endpoint allows and Flexpa will update the patient's data at least every 24 hours for as long as that authorization is valid.
To use the multiple usage flow:
- First, pass the
MULTIPLE string to the usage parameter during FlexpaLink.create.
- Once the patient completes the Flexpa Link flow, you will receive a public token.
- Exchange the public token for both an
access_token and a refresh_token during the exchange step.
- The
access_token is valid for 24 hours and can be used to make unlimited FHIR resource requests for that patient from the Flexpa API.
- Once the
access_token is expired, use the refresh_token to make a call to our token refresh endpoint, https://api.flexpa.com/link/token, to receive a new access_token and refresh_token. This access_token is valid for another 24 hours.
- Use your new
access_token to make unlimited FHIR resource requests for that patient from the Flexpa API.
Flexpa will maintain the authorization with the network endpoint for as long as the endpoint allows. During this time you do not need to have the patient re-authorize. If your access_token is expired (which you can check by making a request to the introspect endpoint), simply use your latest refresh_token to obtain a new access_token and get updated (within the last 24 hours) patient data from the Flexpa API.
Note: Not all network endpoints are refreshable and support multiple usage. If this is the case, Flexpa will fall back to one-time usage.
#Network Refresh Periods
Different networks have varying refresh periods for data updates. Understanding these periods helps set appropriate expectations for data freshness when using multiple usage patterns.
| Network | Refresh Period | Commentary |
|---|
| TEFCA IAS | Real-time to 24 hours | Individual Access Services under TEFCA provide near real-time access to patient data with minimal latency. Most updates are reflected within hours of the original transaction. |
| CMS-9115 | 24-48 hours | CMS Patient Access API requirements mandate data refresh within 24 hours for most resources. Some network endpoints may have slightly longer refresh cycles during high-volume periods. |
| ONC (g)(10) | 24 hours | The ONC Cures Act Final Rule requires patient access to data without unnecessary delay, typically within 24 hours of the data being available in the provider's system. |
#FAQ
#How long will Flexpa maintain the authorization for during multiple usage?
Flexpa attempts to maintain the authorization indefinitely or up to the maximum allowable limit for the network endpoint. You can view this under "Token details" in our Endpoint Directory.
#I've chosen multiple usage, but I can't access the Flexpa API and my access token is expired. What gives?
For security purposes, each access_token is only valid for 24 hours. Flexpa does continue to maintain the authorization and update the patient's data, however. Simply use your refresh_token to make a call to the token refresh endpoint, to obtain a new access_token and continue to access that patient's data.
#Is multiple usage available for all network endpoints?
Unfortunately, no. While most network endpoints do allow us to refresh the authorization, some do not. You can see a list of endpoints that do not support a refreshable token by viewing our Endpoint Directory and selecting "Non-refreshable Token" from the dropdown labeled "All token types".
If this is the case, Flexpa will automatically fallback to one-time usage, allowing you to access the patient's data for up to 24 hours. When this happens you will not receive a refresh_token during the exchange step.
#How long is the refresh token valid for?
Each refresh_token is valid for 90 days (7776000 seconds).