Developer Resources

The Centers for Medicare and Medicaid Services (CMS) has required that payers of CMS-regulated plans implement and maintain a secure, standards-based Patient Access Application Programming Interface (API) (using Health Level 7® (HL7) Fast Healthcare Interoperability Resources® (FHIR) Release 4.0.1). This Patient Access API allows patients to easily access their claims and encounter information, including cost (specifically provider remittances and enrollee cost-sharing).

This rule also requires payers of CMS-regulated plans to make provider directory information publicly available via a FHIR-based Provider Directory API.

Necessary Technical Documentation

FHIR

Health Level 7 (HL7) Version 4.0.1 Fast Healthcare Interoperability Resources (FHIR) Release 4, October 30, 2019

• URL: http://hl7.org/fhir/R4/

FHIR Release 4.0.1 provides the first set of normative FHIR resources. This normative designation means that the future changes will be backward compatible. These resources define the content and structure of core health data, which can be used by developers to build standardized applications.

SMART Implementation Guide / OAuth 2.0

SMART Application Launch Framework Implementation Guide Release 1.0.0, November 13, 2018

• URL: http://hl7.org/fhir/smart-app-launch/history.html

SMART on FHIR provides reliable, secure authorization for a variety of app architectures through the use of the OAuth 2.0 standard. This Authorization Guide supports the four use cases defined for Phase 1 of the Argonaut Project. This profile is intended to be used by app developers that need to access FHIR resources by requesting access tokens from OAuth 2.0 compliant authorization servers. The profile defines a method through which an app requests authorization to access a FHIR resource, and then uses that authorization to retrieve the resource.

OAuth 2.0

The OAuth 2.0 Authorization Framework

• URL: https://tools.ietf.org/html/rfc6749

The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.

USCDI

United States Core Data for Interoperability (USCDI), June 2025, Version 3.1 (v3.1)

• URL: United States Core Data for Interoperability (USCDI) | Interoperability Standards Platform (ISP)

The USCDI is a standardized set of health data classes and component data elements for nationwide, interoperable health information exchange.

Registering with BlueCross BlueShield of Tennessee

BlueCross has created a registration process for third-party app developers who want to connect members through their app. To begin the registration process, send an inquiry email to eBusiness_Service@bcbst.com requesting access to our Patient Access API. Please include the following information:

• Contact name
• Company name
• App title
• Callback URL to assign to your application
• Description of the application
• Any other relevant information

You also need to define the scope that will be used during the authorization process. BlueCross has implemented the SMART App Launch Scopes as outlined below.

 

You will be assigned a Client ID and Client Secret after we’ve completed registering your application. The Client Secret needs to be stored securely and should only be used for accessing the BlueCross APIs.

Requesting Authorization From a User

The application needs to direct the user to BlueCross’s authorization endpoint using the below URL and parameters to authenticate the user and obtain the authorization code.

GET https://sso.bcbst.com/as/authorization.oauth2

Obtaining the Access Token

Once the user completes the authorization step detailed in the previous step, BlueCross will return an Authorization Code in the redirect URL that can be exchanged for an Access Token to make calls to BlueCross’s FHIR server.

The application needs to send a POST request using the below URL and parameters to obtain the access token.

POST https://sso.bcbst.com/as/token.oauth2

 

You can now use this token as the Bearer Token within the request header in your calls to the BlueCross FHIR server.

Accessing the BlueCross BlueShield of TN Provider Directory API

Getting Access to the BlueCross BlueShield of TN Patient Access API

BlueCross BlueShield of Tennessee has created a registration process for third-party app developers who want to connect members through their app. To begin the registration process, please visit the BCBST Developer Portal at https://fdp.edifecsfedcloud.com/#/portal/bcbstn/home.

• Select 'Log in as Developer' to create a new account or login to existing account
• Once logged in, select the 'Applications' tab and click Register Application to request access to sandbox and production Patient Access APIs
• Select 'Register' once required details have been entered

After we've completed registering your application, you will receive an email notification that your Client ID and Client Secret have been issued and are available to access via the portal.

If additional information is needed to complete the registration, you will be contacted at the email address provided within the portal.

 

Do you have more questions?

For more information about interoperability for app developers, please visit the CMS webpage about the CMS Patient Access Final Rule.

If you have questions about connecting to the BlueCross FHIR API, please send any questions in an email with a contact name, company name, app title, to BCBST_Interoperability_Support@bcbst.com.

We may be directed to give your application access to patient identifying information that is protected by 42 CFR Part 2 (the federal Confidentiality of Substance Use Disorder Patient Records). By registering with our API, you acknowledge and agree that you have received the prohibition on redisclosure notice that 42 CFR part 2 prohibits unauthorized disclosure of these records.