CMS Interoperability: Seamless Access to Patient Data
- Isuru Uyanage
- Associate Technical Lead, WSO2
Introduction
The Patient Access API, introduced under CMS-9115-F, requires health plans, including Medicare Advantage, Medicaid, the Children’s Health Insurance Program (CHIP), and the Qualified Health Plan (QHP) on federally facilitated exchanges to give patients secure, real-time access to their health data via standardized APIs. Patients can use third-party apps of their choice to view key information such as claims, coverage, encounters, medications, and lab results, promoting greater transparency and engagement.
The CMS-0057-F rule expands the Patient Access API to include prior authorization data as defined in USCDI v3. Payers must make the following prior authorization elements available through the API:
- The status of the prior authorization (e.g., approved, denied, and pending)
- The date the authorization was approved or denied
- The date or condition under which the authorization ends
- The items and services approved (excluding drugs)
- If denied, the specific reason for the denial
In this blog, we demonstrate how a user can log into a third-party app that is integrated with the payer's FHIR server to access the claims, prior authorization status, and related clinical data. We will also highlight the key components of our reference implementation, which has been implemented with Ballerina.
Scenario
Following the approval of his Prior Authorization request for an Aimovig 70mg Injection (previously submitted by Dr. Smith and approved by UnitedCare), Jack Shaw now wishes to view the status and details of that decision. (See the Prior Authorization use case.)
To do so, Jack turns to the Mediclaim App, which is a SMART on FHIR-enabled health application that has been integrated with the payer’s (UnitedCare) FHIR server. Leveraging the Patient Access API, this app allows him to securely view up-to-date information from his health plan, including the approved prior authorization decision, medication request, claims history, and coverage details — all in real time.
- Patient: Jack Shaw
- Payer: UnitedCare
- Third-party app: Mediclaim, a SMART on FHIR-compatible app authorized by Jack
Workflow
Figure 1: Sequence diagram of the Patient Access API workflow
Patient Access Flow
A few days after he consults with Dr. Smith, Jack receives a text message from UnitedCare notifying him that his prior authorization request for an Aimovig 70mg injection has been approved. Seeking to review the full details (such as coverage, out-of-pocket costs, and next steps) he opens the MediClaim app, which is a SMART on FHIR-enabled application that is connected to the payer’s (UnitedCare) FHIR Server.
1. Jack opens the MediClaim App
- The app initiates the SMART on FHIR flow.
- SMART configuration discovery: The app sends a request to the payer’s FHIR server to fetch configuration details (authorization endpoint, token endpoint, supported capabilities, and scopes).
- Invoke FHIR capability statement: The app sends a request to retrieve the capability statement, which includes supported FHIR resource types from the payer’s server.
- Authorization request: The app prepares to redirect Jack to the payer’s authorization server for authentication and consent.
2. Jack logs in and provides consent
- Jack is redirected to the payer’s authorization server, where he authenticates and grants consent for the app to access his health data.
- If Jack’s authentication and consent are successful, the authorization server sends an authorization code to the app.
- The app exchanges the authorization code for an access token, which allows secure access to Jack’s health data from the payer’s FHIR server, according to the authorized scopes.
Data Access Flow
1. Jack accesses prior authorization records
- Using the access token, the app retrieves the following resources from the payer’s FHIR Server:
- Prior authorization decision and adjudicated claim information
- Prescribed medication details.
- Insurance plan and coverage details.
Reference Implementation
Figure 2: Architecture diagram of the reference implementation
Core Components
Patient Side
|
Component |
Role |
|
MediClaim App |
A third-party, SMART on FHIR-compliant application is used by the patient to access their health data. It handles authentication, token management, and API requests to the payer. |
Payer Side
|
Component |
Role |
|
Authorization Server |
Hosted by the payer, the Authorization Server handles SMART on FHIR’s OAuth 2.0/OpenID Connect flow, including login, consent, and access token issuance. Options for the Authorization Server include WSO2 Identity Server and Asgardeo, an identity-as-a-service (IDaaS) solution. WSO2 Accelerator for Healthcare can be installed on top of either of these to enable SMART on FHIR features. |
|
FHIR Server |
Hosted by the payer, the FHIR Server serves patient health data, including claims, coverage, and prior authorization status in FHIR R4 format. The FHIR Server integrates with existing systems of record, such as databases, FHIR Repositories, and claim mgmt systems, serving as a facade to expose data for the Patient Access API. It is implemented using WSO2 Accelerator for Healthcare, with pre-built FHIR APIs required for the Patient Access API. |
|
Systems of Record |
The payer’s existing systems of record, such as:
|
A complete reference implementation for the Patient Access API use case has been built using the WSO2 Accelerator for Healthcare. This implementation demonstrates the SMART on FHIR flow. It is publicly available via GitHub and includes a hosted demo setup, where users can try out the full workflow.
The video below will provide a walkthrough of the demo setup.
Glossary
|
Patient Access API |
An API introduced under CMS-9115-F that allows patients to securely access their health information as held by their health plan (payer), including claims, encounters, clinical data, and coverage, via third-party applications of their choice. |
|
The CMS Interoperability and Patient Access Final Rule requires payers to provide patients with access to their health data, such as claims, encounters, clinical records (USCDI v1), coverage details, provider directory, and formulary via standardized APIs to promote transparency and patient empowerment. |
|
|
The CMS Prior Authorization and Interoperability Final Rule, which builds upon CMS-9115-F by requiring payers to include prior authorization information in the Patient Access API. |
|
|
Prior Authorization (PA) |
A cost-control process used by payers to determine whether they will cover a prescribed procedure, service, or medication before it is provided. Under CMS-0057-F, prior auth data must be made accessible to patients. |
|
An open specification that layers OAuth 2.0 and OpenID Connect onto FHIR APIs to enable secure, standardized access to health data by third-party applications with user consent. |
|
|
Standalone Launch |
A SMART on FHIR launch context where the application is initiated by the patient independently of any EHR or provider interface, typically for personal health use. |