The purpose of the Patient First patient access API is to meet the requirements of the ONC Health IT Certification Program 2015 Edition. The operations provided through the API are specifically written to address the documentation and authentication (170.315(g)(7)), partial clinical information (170.315(g)(8)), and the full encounter clinical summary (170.315(g)(9)) requirements. Patient First has taken the position that the patient should be responsible for the release of their information through the API. It has also been decided that only the individual medical records will be available via the API, regardless of whose medical records you may have been granted access to. Access to the API is accomplished by a patient that participates in the Patient First Patient Portal. Each patient is individually responsible for authorizing application access to the API. All access through the API is logged in the patient portal participant’s activity log.
Authorizing application access to the API is the responsibility of each Patient First Patient Portal participant. Authorization is granted by the 'Settings' dialog within a participant's account under the 'Authorize API's' setting. The user must check the 'Allow 3rd party API's to access your medical records' block AND click the 'UPDATE' button. When checked, the participant can click the 'Add' button and fill in the name of the API Application and click the 'Submit' button. This action will add the application to the list and generate two important pieces of information, the 'APPLICATION USERNAME' and the 'APPLICATION KEY'. Both of these pieces of information must be given to the 3rd party application developer.
Application Access via API can be turned off at the participant level by unchecking the 'Allow 3rd party API's to access your medical records' block AND clicking the 'UPDATE' button. Application Access via API can also be turned off at the application level by clicking the 'DELETE' link within the respective application row.
All API access by authorized 3rd party applications will be recorded in the participants 'Account Activity' audit.
This method addresses the 170.315(g)(7) requirement and is used to generate a token for all other requests. An active token is required for all operation calls. To generate a token, the application much have knowledge of the “ApplicationUserName” and “ApplicationKey”. The patient portal participant can create these keys specific to them by accessing the “Settings” page in the patient portal. When a token is generated, it is good for thirty minutes after which a new token must be generated. The patient also has the ability to disable API access per application. The developer documentation is here.
This method addresses the 170.315(g)(8) requirement and is used to get a specified data element within the date range. The response also includes patient demographics. An active token is required to retrieve the list. The developer documentation is here. The available data elements are:
This method addresses the 170.315(g)(9) requirement and is used to get a list of CCDAs within the date range specified. An active token is required to retrieve the list. The CCDAs are represented as XML contained in a CDATA tag within the JSON presentation. The developer documentation is here.