Sign in

Patient Access API · CMS-0057F · 42 CFR 422.119(a) · USCDI v3

Patient Access

Live

For 3rd-party app developers building member-facing apps. Members sign in with their payer account; your app reads their claims, clinical data, and coverage through standards-based FHIR. Auth, consent, and metering are handled for you.

Quickstart

Get your first token and hit the API in under 10 minutes.

  1. 1

    Register your app

    Create an application to receive a client ID and set your redirect URI.

  2. 2

    Initiate PKCE authorization

    Generate a code_verifier + code_challenge pair. Redirect the member to the authorization endpoint with SMART scopes.

  3. 3

    Exchange the code for tokens

    POST to /oauth2/token with the authorization code and code_verifier. Receive access_token and refresh_token.

  4. 4

    Call the FHIR API

    Include the access_token as Authorization: Bearer <token>. Use the patient ID from the id_token sub claim.

  5. 5

    Refresh when needed

    Access tokens expire in 1 hour. Use the refresh_token to get a new access_token without re-auth.

Token exchange

PKCE token request after the authorization redirect.

curl -X POST https://auth.healthchain.dev/oauth2/token \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=authorization_code" \
  -d "code=AUTH_CODE_FROM_CALLBACK" \
  -d "redirect_uri=https://yourapp.example/callback" \
  -d "client_id=YOUR_CLIENT_ID" \
  -d "code_verifier=YOUR_PKCE_VERIFIER"

Auth flow · Scopes

SMART on FHIR scopes required and optional for this API.

ScopeDescriptionRequired
patient/Patient.readRead Patient demographic data.Yes
patient/Coverage.readRead insurance coverage information.Yes
patient/ExplanationOfBenefit.readRead claims and prior auth EOBs.Yes
patient/Condition.readRead problem list (USCDI Conditions).No
patient/MedicationRequest.readRead prescriptions.No
patient/Observation.readRead vitals, labs, and social history.No
patient/DocumentReference.readRead clinical documents and C-CDAs.No
launch/patientAllow SMART to pre-select the patient context.Yes
openid fhirUserOIDC identity claims.Yes

Endpoints

Key FHIR operations for the Patient Access API.

GET/Patient/{id}

Read a single Patient resource.

GET/Patient/{id}/$everything

Bundle of all FHIR resources for the member.

GET/ExplanationOfBenefit

Search claims and prior auth EOBs.

GET/Coverage

Read active and historical coverage.

GET/Condition

Problem list entries aligned to USCDI Conditions.

Resources & profiles

FHIR resource types returned by this API and their conformance profiles.

ResourceProfileUSCDI
Patientus-core-patientUSCDI Patient
Coveragehrex-coverageUSCDI Insurance
ExplanationOfBenefitC4BB-ExplanationOfBenefitUSCDI Clinical Notes
Conditionus-core-condition-problems-and-health-concernsUSCDI Conditions
MedicationRequestus-core-medicationrequestUSCDI Medications
Observationus-core-observation-labUSCDI Lab Results
DocumentReferenceus-core-documentreferenceUSCDI Clinical Notes
AllergyIntoleranceus-core-allergyintoleranceUSCDI Allergies
Immunizationus-core-immunizationUSCDI Immunizations
Procedureus-core-procedureUSCDI Procedures