Patient Access API and Payer to Payer Data Transfer

If you purchased your own insurance on the Marketplace or you have a Medicare plan, you're entitled to access and share your health information. Blue Cross Blue Shield of Michigan and Blue Care Network now makes this process easier.

Your health information is available for other apps through a Patient Access Application Program Interface, or API. This technology allows applications to talk to each other by exchanging data.

What this means for you

As a member, you now have the ability to share your health information with third-party apps.

You can share your information dating back to Jan. 1, 2016, if you're enrolled in certain health plans. The following information is available as long as we maintain it in our records.

Claims and other health information you'll share

This includes clinical data collected while providing case management, care coordination, or other services to you.

Additional information can be found in our frequently asked questions (PDF) about Patient Access API.

The data made available, through the API, may include information about treatment for behavioral health, chronic illness and other sensitive information.

It's important for you to understand that the app you select will have access to all your information. The app is not subject to HIPAA rules and other privacy laws. These rules and laws protect your health information. You'll be subject to the app’s privacy policy for how they will use, disclose, and sell information about you. If you decide to share your information through the Patient Access API, you should review their privacy policy to ensure you're comfortable with what the app will do with your information.

Considerations before sharing personal data

To protect your data, it’s important to take steps to protect the privacy and security of your health information, including factors to consider in selecting an application including secondary uses of your data.

When selecting an app, ask yourself:

Will this app sell my data for any reason?
Will this app disclose my data to third parties for purposes such as research or advertising?
How will this app use my data? For what purposes?
Will the app allow me to limit how it uses, discloses or sells my data?
If I no longer want to use this app, or no longer want this app to have access to my health information, can I terminate its access to my data? What’s the termination process?
What is the app’s policy for deleting my data once I terminate access? Do I have to do more than just delete the app from my device?
How will this app notify me of changes in its privacy practices?
Will the app collect non-health data from my device, such as my location?
What security measures does this app use to protect my data?
Could sharing my data with this app have an impact on others, such as my family members?
Will the app allow me to access my data and correct inaccuracies? (Correcting inaccuracies in data collected by the app won’t affect inaccuracies in the source of the data.)
Does the app have a process for collecting and responding to user complaints?

If the app's privacy policy doesn't answer these questions, you may want to reconsider. You should choose an app with strong privacy and security standards to protect your information.

Covered entities and HIPAA enforcement

The U.S. Department of Health and Human Services’ Office for Civil Rights, or OCR, enforces the HIPAA Privacy, Security, and Breach Notification Rules. Your Blue Cross health plan is subject to HIPAA as are most health care providers, such as hospitals, doctors, clinics, and dentists. You can find more information about your rights under HIPAA and who is obligated to comply with HIPAA.

You can learn more about filing a complaint with OCR related to HIPAA requirements. You may also file a complaint with Blue Cross by contacting the appropriate customer service office (PDF).

Apps and privacy enforcement

An app generally will not be subject to HIPAA. An app that publishes a privacy notice is required to comply with the terms of its notice, but generally is not subject to other privacy laws. The Federal Trade Commission Act protects against deceptive acts, such as an app that discloses personal data in violation of its privacy notice. An app that violates the terms of its privacy notice is subject to the jurisdiction of the Federal Trade Commission, or FTC. The FTC provides information about mobile app privacy and security for consumers.

If you believe an app inappropriately used, disclosed, or sold your information, you should contact the FTC. You may file a complaint with the FTC using the FTC complaint assistant.

On March 9, 2020, the Department of Health and Human Services, or HHS, released final rules outlining standards for interoperability and the secure exchange of health information. As part of these rules, the Centers for Medicare and Medicaid Services, or CMS, requires that the payers must maintain a process for the electronic exchange of member clinical data, which includes things like lab test results, vital signs, clinical notes and current medications.

CMS’s requirement says that with the approval of a current or former enrollee or the enrollee’s personal representative, the insurance carrier (payer) must:

Receive data for a current enrollee from any other insurance carrier (payer) that has provided coverage to the enrollee within the five previous years.
At any time an enrollee is currently enrolled and up to five years after disenrollment, send all such data to any other insurance carrier (payer) that the enrollee or their personal representative specifically requests receives the data.

If you're enrolled in a Blue Cross Medicare Advantage Plan or Individual Qualified Health Plan, or QHP, you have the option to request data transfer from your former insurance carrier (payer) to Blue Cross. Likewise, if you're a former enrollee in a Blue Cross Medicare Advantage or Individual QHP plan you have the option to request Blue Cross to send your data to your current insurance carrier.

This transfer will ensure that your clinical data stays with you in case you change insurance carrier.

However, CMS has indefinitely delayed this exchange requirement, so BCBSM can only send data to and receive data from health insurance carriers that are currently registered to facilitate data exchange.

Unfortunately, none of the health insurance carriers are registered and ready to transfer data right now. The health insurance carrier names will be added here once they are ready to transfer data.

You'll need an account on the Blue Cross member portal to request a data transfer. Please create an account if you don't have one.

Additional information about data transfer and insurance carrier registration can be found in our frequently asked questions (PDF).

App Developers

Blue Cross Blue Shield of Michigan Interoperability APIs provide the functionality listed below:

Enable developers to register member-facing applications
Enable members to provide consent for an application to access their data
Use the HL7 Fast Healthcare Interoperability Resources (FHIR) for member data
Use the OAuth 2.0 / Open ID Connect standard form member authorization
Use the HL7 FHIR standard for sharing public non-member specific data

BCBSM's API Capability Statement

This statement provides API syntax, function names, parameters supported, data types, and other required information necessary to develop your application. Anyone can open a query for BCBSM’s API Capability Statement. It shows the various aspects of FHIR that may be vitally important to someone such as a 3rd-party developer of a SMART on FHIR application trying to connect to BCBSM’s FHIR API.

Registering and Testing Your Third-party App

To enable API connections, third-party developers must first create an account with InterOp Station and log in to access information.

Logging into the InterOp Station site will allow you to access:

API syntax, function names, required and optional parameters supported and their data types, return variables and their types/structures, exceptions and exception handling methods and their returns
The software components and configurations an application must use in order to successfully interact with the API and process its response(s); and
All applicable technical requirements and attributes necessary for an application to be registered with any authorization server(s) deployed in conjunction with the API

To find out how to create an account, how to connect and test your application and how to properly attest, read the InterOp Portal User guide (PDF).

API Endpoints

Access to API Endpoints requires credentials to the Developer Portal, and is accessible via access of any of the portals. It offers additional endpoints for testing and configuration to be used for attesting to access data and endpoints that are publicly accessible. View our publicly accessible endpoints under the Provider Directory and Drug Formulary.

Provider Directory:

Drug Formulary: