The Patient Access API is mandated in the CMS Interoperability and Prior Authorization Final Rule (CMS-0057-F). It requires payers to make claim details and encounters, clinical and laboratory data, and prior-authorization data accessible through a secure FHIR-based API for patients in real-time via health applications of their choice. Impacted organizations include Medicare Advantage organizations, Medicaid managed care plans, Children’s Health Insurance Program managed care entities, State Medicaid and CHIP Fee-for-Service programs, and Qualified Health Plan issuers on the Federally Facilitated Exchanges. By January 1, 2027, they must report to CMS on metrics related to Patient Access API usage, including the total number of unique patients who access their data and the frequency.
We build APIs for EHR systems, patient portals, and mobile applications. Need help with API development or testing?
Let's talk.
On 9 March 2020, the U.S. Department of Health and Human Services (HHS) finalized two rules that will give patients “unprecedented” access to their health data. These final rules require both public and private entities to share health information between patients and third-party developers, which will be allowed to include claims data and other patient health information in their apps.
ONC’s final rule establishes API requirements to support a patient’s securely and easily access and use their electronic health information from their provider’s medical records for free, using the smartphone app.
This rule also requires impacted organizations to make provider directory information publicly available via FHIR-based Provider Directory API.
This API will allow patients to access their data through any third-party application they choose and could also be used to integrate a health plan’s information to a patient’s EHR. Patients can take this information with them as they move from plan to plan, and provider to provider.
The CMS final rule establishes a new Condition of Participation for all Medicare and Medicaid participating hospitals, requiring them to send electronic notifications to another healthcare facility or community provider or practitioner when a patient is admitted, discharged, or transferred.
Steps to get start for health organizations
- One of your patients identifies a patient health app, for example, the Apple Health app that they would like to use to access their health information.
- Ask your EHR provider to give you links to the appropriate APIs, Including the patient's ID, Allergies, Assessments, all current Care Team members, all current Goals, all current Health Concerns, Immunizations, Lab Results, pending and future Lab Tests, current and past Medications, implanted and removed Medical Equipment records, current demographics (Race, Ethnicity, Name, Sex, Date of Birth, and Preferred Language), active, inactive and resolved Problems, Procedures, Social History data (Including Smoking Status), and Vital Signs.
- For third-party applications chosen by individuals to facilitate their access to their Electronic Health Information Export, you don’t need (page 465) to “vet” these applications on security grounds.
- Provide these links to the Apple Health app developers to allow them to connect to your EHR. Once they integrate them into their app, they should provide instructions for accessing health information for their users, including your patient.
Rate this article
Recommended posts
Portfolio

Our Clients' Feedback













Belitsoft has been the driving force behind several of our software development projects within the last few years. This company demonstrates high professionalism in their work approach. They have continuously proved to be ready to go the extra mile. We are very happy with Belitsoft, and in a position to strongly recommend them for software development and support as a most reliable and fully transparent partner focused on long term business relationships.
Global Head of Commercial Development L&D at Technicolor