Patient access

The “Patient Access APIs” supported by Flexpa are built on top of a set of legislative, policy, and technical standards / implementations maintained by different stakeholders. Where do they come from and how does it work?

Let's cover two basic meanings of patient access:

  1. Patient access is a principled approach to data access by patients, and;
  2. Patient access is defined in specific FHIR profiles inside of FHIR Implementation Guides. HL7® FHIR® is a REST API + document schema for healthcare.

This is an especially jargon-y space but it can be mapped from end-to-end with careful attention and enough coffee. Let's start with the big picture and work all the way down to the specific APIs accessible through Flexpa.

A diagram of how Patient Access flows from legislation into specific technical standards

A diagram of how Patient Access flows from legislation into specific technical standards

At the top level, patient access is defined in terms of specific legislation and the actions of Federal agencies. The 21st Century Cures Act (Cures Act) is a United States law that was enacted in December 2016. Federal agencies such as Centers for Medicare & Medicaid Services (CMS) and Office of the National Coordinator for Health Information Technology (ONC) have developed policies to satisfy the requirements of the Cures Act.

  • CMS primarily establishes national technical standards for health insurance payers because CMS is the federal agency inside of HHS responsible for Medicare + health insurance portability
    • CMS-9115-F - “CMS Patient Access Final Rule” was a final rule dated May 1, 2020 that deals with making insurance + clinical data available to patients via SMART on FHIR
    • CMS-9123-P - “CMS Prior Authorization” was a proposed rule dated Jan 4, 2021 that deals with streamlining processes related to prior authorization
  • ONC leads a national health IT effort to establish technical standards to advance the electronic exchange between health care providers
    • 87 FR 2800 - “TEFCA” is a “trusted exchange framework and common agreement” dated Jan 19, 2022
    • 85 FR 25642 - “ONC Cures Act Final Rule” was a final rule dated June 30, 2020 that makes SMART on FHIR interoperability capabilities a hard requirement of the ONC EHR certification process

These policies follow a pattern of proposals and final rulings typical of federal agencies. Both CMS and ONC release documents in the Federal Register. These documents sometimes establish specific technical standards and implementations as “hard requirements”.

Standards / implementations evolve out of multistakeholder industry interoperability efforts sheparded by HL7's working groups - including most prominently HL7 FHIR.

Where does Flexpa fit?

Verify health plan and patient data with a login. No information blocking.

Flexpa is a connection layer between your application and the technical standards / implementations referenced by federal agencies. Third party developers can create applications that involve Patient Access API based authorization of health and healthcare data.

Today, our focus is on making it easy to use APIs mandated by CMS Patient Access. So let's cover those in more detail.

CMS Patient Access

CMS-9115-F boils down to requiring health plan payers to produce a standards based Patient Access API:

We are finalizing with modifications our proposal to require MA organizations, Medicaid and CHIP FFS programs, Medicaid managed care plans, CHIP managed care entities, and QHP issuers on the FFEs to implement and maintain a standards-based Patient Access API.

85 FR 25513, F. Summary of Major Provisions

Which patients can use this?

Flexpa has built-in support for health system endpoints created for CMS Patient Access


Patients/beneficiaries with health plans from the following are in scope:

  • Medicare Advantage organizations
  • Medicaid and CHIP FFS programs
  • Medicaid managed care plans
  • CHIP managed care entities
  • QHP issuers on the FFEs

Together, these programs and organizations have approximately 112,000,000 enrollees.

What data is available?

The form and format of all available data follows the FHIR standard. FHIR specifies Resources that are basically kinds of data classes.

API access to both financial information about health insurance and clinical data are required:

We are finalizing that through the Patient Access API, payers must permit third-party applications to retrieve, with the approval and at the direction of a current enrollee, data specified at 42 CFR 422.119, 431.60, 457.730, and 45 CFR 156.221.

Specifically, we are requiring that the Patient Access API must, at a minimum, make available adjudicated claims (including provider remittances and enrollee cost-sharing); encounters with capitated providers; and clinical data, including laboratory results (when maintained by the impacted payer).

85 FR 25513, F. Summary of Major Provisions

MA organizations are required to produce their Patient Access API with specific standards and implementations in mind (via 45 CFR 170.215), listed below.



Clinical data

Flexpa can be used to access clinical data in US Core Profiles

Medications example

If a MA organization maintains clinical data, including laboratory results, they are required to make such data available in a Patient Access API in addition to encounter data from capitated providers.

Practically speaking, most implementations make some subset of these specific FHIR Profiles (a profile is sub-class of a Resource) provided by US Core Implementation Guide.

  • US Core AllergyIntolerance Profile
  • US Core CarePlan Profile
  • US Core CareTeam Profile
  • US Core Condition Profile
  • US Core DiagnosticReport Profile for Laboratory Results Reporting
  • US Core DiagnosticReport Profile for Report and Note exchange
  • US Core DocumentReference Profile
  • US Core Encounter Profile
  • US Core Goal Profile
  • US Core Immunization Profile
  • US Core Implantable Device Profile
  • US Core Laboratory Result Observation Profile
  • US Core Location Profile
  • US Core Medication Profile
  • US Core MedicationRequest Profile
  • US Core Organization Profile
  • US Core Patient Profile
  • US Core Practitioner Profile
  • US Core PractitionerRole Profile
  • US Core Procedure Profile
  • US Core Provenance Profile
  • US Core Smoking Status Observation Profile
  • US Core Vital Signs Profile

Financial data

Flexpa can be used to access to financial data in C4BB Profiles

Finding Member ID