Developer Resources
The Centers for Medicare and Medicaid Services (CMS) has required that payers of CMS-regulated plans implement and maintain a secure, standards-based Patient Access Application Programming Interface (API) (using Health Level 7® (HL7) Fast Healthcare Interoperability Resources® (FHIR) Release 4.0.1). This Patient Access API allows patients to easily access their claims and encounter information, including cost (specifically provider remittances and enrollee cost-sharing).
This rule also requires payers of CMS-regulated plans to make provider directory information publicly available via a FHIR-based Provider Directory API.
Necessary Technical Documentation
FHIR
Health Level 7 (HL7) Version 4.0.1 Fast Healthcare Interoperability Resources (FHIR) Release 4, October 30, 2019
FHIR Release 4.0.1 provides the first set of normative FHIR resources. This normative designation means that the future changes will be backward compatible. These resources define the content and structure of core health data, which can be used by developers to build standardized applications.
SMART Implementation Guide / OAuth 2.0
SMART Application Launch Framework Implementation Guide Release 1.0.0, November 13, 2018
SMART on FHIR provides reliable, secure authorization for a variety of app architectures through the use of the OAuth 2.0 standard. This Authorization Guide supports the four use cases defined for Phase 1 of the Argonaut Project. This profile is intended to be used by app developers that need to access FHIR resources by requesting access tokens from OAuth 2.0 compliant authorization servers. The profile defines a method through which an app requests authorization to access a FHIR resource, and then uses that authorization to retrieve the resource.
OAuth 2.0
The OAuth 2.0 Authorization Framework
The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. This specification replaces and obsoletes the OAuth 1.0 protocol described in RFC 5849.
USCDI
United States Core Data for Interoperability (USCDI), February 2020, Version 1 (v1)
The USCDI is a standardized set of health data classes and component data elements for nationwide, interoperable health information exchange.
Registering with BlueCross BlueShield of Tennessee
BlueCross has created a registration process for third-party app developers who want to connect members through their app. To begin the registration process, send an inquiry email to eBusiness_Service@bcbst.com requesting access to our Patient Access API. Please include the following information:
- Contact name
- Company name
- App title
- Callback URL to assign to your application
- Description of the application
- Any other relevant information
You also need to define the scope that will be used during the authorization process. BlueCross has implemented the SMART App Launch Scopes as outlined below.
| Scope | Grants |
|---|---|
| patient/*.read | Permission to read supported FHIR resources for the current patient |
| openid fhirUser | Permission to retrieve information about the current logged-in user |
You will be assigned a Client ID and Client Secret after we’ve completed registering your application. The Client Secret needs to be stored securely and should only be used for accessing the BlueCross APIs.
Requesting Authorization From a User
The application needs to direct the user to BlueCross’s authorization endpoint using the below URL and parameters to authenticate the user and obtain the authorization code.
GET https://sso.bcbst.com/as/authorization.oauth2
| Parameter | Value |
|---|---|
| client_id | The Client ID that you received from BlueCross |
| grant_type | authorization_code |
| redirect_uri | Your endpoint that receives callback from the BlueCross API |
| grant_type | patient/*.read openid fhirUser |
| response_type | code |
Obtaining the Access Token
Once the user completes the authorization step detailed in the previous step, BlueCross will return an Authorization Code in the redirect URL that can be exchanged for an Access Token to make calls to BlueCross’s FHIR server.
The application needs to send a POST request using the below URL and parameters to obtain the access token.
POST https://sso.bcbst.com/as/token.oauth2
| Parameter | Value |
|---|---|
| client_id | The Client ID that you received from BlueCross |
| client_secret | The Client Secret that you received from BlueCross |
| grant_type | authorization_code |
| redirect_uri | Your endpoint that receives callback from the BlueCross API |
| scope | patient/*.read openid fhirUser |
| code | The Authorization Code received in the previous step |
You can now use this token as the Bearer Token within the request header in your calls to the BlueCross FHIR server.
BlueCross FHIR API Endpoints
| API Category | Security Requirements | API Endpoint(s) | Supporting Documentation |
|---|---|---|---|
| FHIR Capability Statement | Open access | https://api.bcbst.com/fhir/r4/metadata https://api.bcbst.com/fhir/r4/.well-known/smart-configuration |
The metadata endpoint provides the CapabilityStatement resource from the FHIR server. |
| Patient Access API | Application onboarding User authentication and authorization | https://api.bcbst.com/fhir/r4/Coverage https://api.bcbst.com/fhir/r4/CarePlan https://api.bcbst.com/fhir/r4/Condition https://api.bcbst.com/fhir/r4/ExplanationOfBenefit https://api.bcbst.com/fhir/r4/List https://api.bcbst.com/fhir/r4/MedicationKnowledge https://api.bcbst.com/fhir/r4/Observation https://api.bcbst.com/fhir/r4/Patient https://api.bcbst.com/fhir/r4/Procedure |
The Patient Access APIs are used to build applications that allow BlueCross members to access their claims and encounter information, a defined sub-set of their clinical information, and formulary information. Implementation Guides Supported Profiles |
| Provider Directory API | Open Access | https://api.bcbst.com/fhir/r4/Endpoint https://api.bcbst.com/fhir/r4/HealthcareService https://api.bcbst.com/fhir/r4/InsurancePlan https://api.bcbst.com/fhir/r4/Location https://api.bcbst.com/fhir/r4/Organization https://api.bcbst.com/fhir/r4/OrganizationAffiliation https://api.bcbst.com/fhir/r4/Practitioner https://api.bcbst.com/fhir/r4/PractitionerRole |
The Provider Directory APIs can be used to create applications to access information about providers and pharmacies. Implementation Guides Supported Profiles |
Swipe to see more
USING BRAND ASSETS
Here are some brand assets you may need in your application.
Select the links below to download a ZIP file with the approved BlueCross BlueShield of Tennessee logos and a PDF outlining their correct usage.
Logo usage guidelines
Logo ZIP folderDo you have more questions?
For more information about interoperability for app developers, please visit the CMS webpage about the CMS Patient Access Final Rule.
If you have questions about connecting to the BlueCross FHIR API, please send any questions in an email with a contact name, company name, app title, to eBusiness_Service@bcbst.com.
We may be directed to give your application access to patient identifying information that is protected by 42 CFR Part 2 (the federal Confidentiality of Substance Use Disorder Patient Records). By registering with our API, you acknowledge and agree that you have received the prohibition on redisclosure notice that 42 CFR part 2 prohibits unauthorized disclosure of these records.