Developer Resources

The Centers for Medicare and Medicaid Services (CMS) has required that payers of CMS-regulated plans implement and maintain a secure, standards-based Patient Access Application Programming Interface (API) (using Health Level 7® (HL7) Fast Healthcare Interoperability Resources® (FHIR) Release 4.0.1). This Patient Access API allows patients to easily access their claims and encounter information, including cost (specifically provider remittances and enrollee cost-sharing).

This rule also requires payers of CMS-regulated plans to make provider directory information publicly available via a FHIR-based Provider Directory API.

Necessary Technical Documentation


Health Level 7 (HL7) Version 4.0.1 Fast Healthcare Interoperability Resources (FHIR) Release 4, October 30, 2019

FHIR Release 4.0.1 provides the first set of normative FHIR resources. This normative designation means that the future changes will be backward compatible. These resources define the content and structure of core health data, which can be used by developers to build standardized applications.

SMART Implementation Guide / OAuth 2.0

SMART Application Launch Framework Implementation Guide Release 1.0.0, November 13, 2018

SMART on FHIR provides reliable, secure authorization for a variety of app architectures through the use of the OAuth 2.0 standard. This Authorization Guide supports the four use cases defined for Phase 1 of the Argonaut Project. This profile is intended to be used by app developers that need to access FHIR resources by requesting access tokens from OAuth 2.0 compliant authorization servers. The profile defines a method through which an app requests authorization to access a FHIR resource, and then uses that authorization to retrieve the resource.

OAuth 2.0

The OAuth 2.0 Authorization Framework

The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. This specification replaces and obsoletes the OAuth 1.0 protocol described in RFC 5849.


United States Core Data for Interoperability (USCDI), February 2020, Version 1 (v1)

The USCDI is a standardized set of health data classes and component data elements for nationwide, interoperable health information exchange.

Registering with BlueCross BlueShield of Tennessee

BlueCross has created a registration process for third-party app developers who want to connect members through their app. To begin the registration process, send an inquiry email to requesting access to our Patient Access API. Please include the following information:

  • Contact name
  • Company name
  • App title
  • Callback URL to assign to your application
  • Description of the application
  • Any other relevant information

You also need to define the scope that will be used during the authorization process. BlueCross has implemented the SMART App Launch Scopes as outlined below.

Scope Grants
patient/*.read Permission to read supported FHIR resources for the current patient
openid fhirUser Permission to retrieve information about the current logged-in user


You will be assigned a Client ID and Client Secret after we’ve completed registering your application. The Client Secret needs to be stored securely and should only be used for accessing the BlueCross APIs.

Requesting Authorization From a User

The application needs to direct the user to BlueCross’s authorization endpoint using the below URL and parameters to authenticate the user and obtain the authorization code.


Parameter Value
client_id The Client ID that you received from BlueCross
grant_type authorization_code
redirect_uri Your endpoint that receives callback from the BlueCross API
grant_type patient/*.read openid fhirUser
response_type code

Obtaining the Access Token

Once the user completes the authorization step detailed in the previous step, BlueCross will return an Authorization Code in the redirect URL that can be exchanged for an Access Token to make calls to BlueCross’s FHIR server.

The application needs to send a POST request using the below URL and parameters to obtain the access token.


Parameter Value
client_id The Client ID that you received from BlueCross
client_secret The Client Secret that you received from BlueCross
grant_type authorization_code
redirect_uri Your endpoint that receives callback from the BlueCross API
scope patient/*.read openid fhirUser
code The Authorization Code received in the previous step


You can now use this token as the Bearer Token within the request header in your calls to the BlueCross FHIR server.

BlueCross FHIR API Endpoints

API Category Security Requirements API Endpoint(s) Supporting Documentation
FHIR Capability Statement Open access
The metadata endpoint provides the CapabilityStatement resource from the FHIR server.
Patient Access API Application onboarding User authentication and authorization

The Patient Access APIs are used to build applications that allow BlueCross members to access their claims and encounter information, a defined sub-set of their clinical information, and formulary information.

Implementation Guides Supported Profiles
Provider Directory API Open Access

The Provider Directory APIs can be used to create applications to access information about providers and pharmacies.

Implementation Guides Supported Profiles

Swipe to see more

Swipe Icon



Here are some brand assets you may need in your application.


Select the links below to download a ZIP file with the approved BlueCross BlueShield of Tennessee logos and a PDF outlining their correct usage.

Do you have more questions?

For more information about interoperability for app developers, please visit the CMS webpage about the CMS Patient Access Final Rule.

If you have questions about connecting to the BlueCross FHIR API, please send any questions in an email with a contact name, company name, app title, to

We may be directed to give your application access to patient identifying information that is protected by 42 CFR Part 2 (the federal Confidentiality of Substance Use Disorder Patient Records). By registering with our API, you acknowledge and agree that you have received the prohibition on redisclosure notice that 42 CFR part 2 prohibits unauthorized disclosure of these records.