Welcome!

If you are the type who likes to skip ahead, here is our complete CMS/ONC Patient Access Developer API Documentation. Here is a complete list of the FHIR resources we currently support.

The remainder of this page will focus on the following topics:

• Get started with a request for access
• Next steps
• Important documentation, including:
  • Summary overview of ABCBS APIs
  • SMART on FHIR and OIDC API
  • CARIN IG
• Error handling
• Support

Get started with a request for access

Send us an email to request access.

• For FHIR API access, contact ISCSSFHIRSupport@arkbluecross.com.
• For Enterprise API access, contact ISCSSEnterpriseAPISupport@arkbluecross.com.

Make sure to include to the following information in your email:

• Company name
• Company address
• Point of contact, including email and phone
• Short description of intent on how APIs will be used

Once your request is received, a member of the team will be in contact shortly.

Next steps

Attestation process

In the email you receive from our team, you will also receive two forms that require completion. These forms include a security questionnaire and an agreement for terms and conditions of use. Both forms must be completed for any access to our APIs. When the completed forms are received, they will be reviewed by our security team prior to granting any credentials to access our APIs.

Please note, Enterprise APIs have a separate process and will require a data use agreement. For questions about Enterprise APIs, contact ISCSSEnterpriseAPISupport@arkbluecross.com.

Register for a developer account

Create your developer account here.

• Fill out the form including:
  • First name
  • Last name
  • Email
  • Company name
• Agree to the terms and conditions
• Click the "CREATE NEW ACCOUNT" button.

You will receive an email with an activation link. Click the link and your account set up will be complete!

Create an app for your organization

Creating an app provides the information needed to grant credentials (after the attestation documents are approved) and to ensure you can access the APIs you need.

To create an app, make sure you are logged into your developer account:

1. Click "Apps" at the top right.
2. Click the "Add app" button.
3. Fill out the following fields:
   1. App name
   2. Callback URL (External site to which a consumer of this app is redirected to log in when using three-legged OAuth)
   3. Description
4. Under APIs, choose ONLY the following options - this is what is needed for FHIR API access:
   1. FHIRPA_PreProd
   2. OIDC Product
5. Click the "ADD APP" button at the bottom of the page to save your app.

Testing and going live in production

After you've received approval through attestation. You'll receive client credentials for access to the sandbox. When you have completed sufficient testing and are ready to go live in production, contact us to request production access. You'll be notified when your production access is approved and active.

Important documentation

Summary Overview of ABCBS APIs

Arkansas Blue Cross Blue Shield interoperability APIs enable Arkansas Blue Cross Blue Shield members to consent to have their data shared with third-party applications. It also allows third-party application owners to connect to provider and pharmacy directories, further referred to as “public non-member specific data.”

Arkansas Blue Cross Blue Shield Interoperability APIs provide the functionality listed below:

• Enable developers to register member-facing applications
• Enable members to provide consent for an application to access their data
• Use the HL7 FHIR standard for member data, provider directory and the drug formulary; use the OAuth 2.0 / Open ID Connect standard for member authorization
• Use the HL7 FHIR standard for sharing public non-member specific data

Please Note: Documented search parameters are not all inclusive, and that interested developers should request GET [base]/metadata for the full capabilities of the FHIR server.

Capability statement

The capability statement is a key part of the overall conformance framework in FHIR. It is used as a statement of the features of actual software, or of a set of rules for an application to provide. This statement connects to all the detailed statements of functionality, such as Structure Definitions and Value Sets. This composite statement of application capability may be used for system compatibility testing, code generation, or as the basis for a conformance assessment.

Links to capability statement:

Sandbox

https://apipreprod.arkbluecross.com/blueware/V1/FHIR/metadata

Production

https://api.arkbluecross.com/blueware/V1/FHIR/metadata

SMART on FHIR and OIDC API

Arkansas Blue Cross and Blue Shield implements OpenID Connect (OIDC) in conjunction with the SMART on FHIR® standalone patient app launch (http://www.hl7.org/fhir/smart-app-launch/). The specification provides a framework for an OpenID Provider (OP) to securely convey an authenticated user’s identity to relying parties (RPs), and in turn the RPs will convey the identity to the FHIR APIs.

Authentication Request

An Authentication Request is an OAuth 2.0 Authorization Request that requests that the End-User be authenticated by the Authorization Server.

Authorize endpoints:

Sandbox

GET https://apipreprod.arkbluecross.com/oidc/oauth2/authorize?client_id={ Client Key}&redirect_uri={Client’s preregistered redirect uri}&response_type=code&state={Opaque value used to maintain state}&nonce={Optional case sensitive string}&scope=openid+launch/patient+patient/*.read&aud=https://apip reprod.arkbluecross.com/

Production

GET https://api.arkbluecross.com/oidc/oauth2/authorize?client_id={Client Key}&redirect_uri={Client’s preregistered redirect uri}&response_type=code&state={Opaque value used to maintain state}&nonce={Optional case sensitive string}&scope=openid+launch/patient+patient/*.read&aud=https://api. arkbluecross.com/

Redirect URI

Client specified redirection URI to which the OP Authentication response will be sent.

Response query parameters in Redirect URI

• code: Authorization Code to be exchanged for bearer token
• state: State code value from the Authorization Request

Token Request

A client makes a Token Request by presenting its Authorization Grant (in the form of an Authorization Code) to the Token Endpoint. Among other attributes the token endpoint response body will include an access token, refresh token, and an ID JSON Web Token (JWT). The ID Token shall be submitted in the Authorization HTTP header when requesting the FHIR APIs.

Sandbox token endpoint

• POST https://apipreprod.arkbluecross.com/oidc/oauth2/token
• Headers
  • Accept: application/json
  • Content-Type:  application/x-www-form-urlencoded
  • Authorization: Basic {Base64 Encoded Sandbox Credentials}
• Token Request Body with Authorization Code: client_id={Client Key}&grant_type=authorization_code&redirect_uri={ Client’s preregistered redirect uri }&code={Authorization Code}
• Token Request Body with Refresh Token: client_id={Client Key}&grant_type=refresh_token&refresh_token={Refresh Token}

Production token endpoint

• POST https://api.arkbluecross.com/oidc/oauth2/token 
• Headers
  • Accept: application/json
  • Content-Type:  application/x-www-form-urlencoded
  • Authorization: Basic {Base64 Encoded Production Credentials}
• Token Request Body with Authorization Code: client_id={Client Key}&grant_type=authorization_code&redirect_uri={ Client’s preregistered redirect uri }&code={Authorization Code}
• Token Request Body with Refresh Token: client_id={Client Key}&grant_type=refresh_token&refresh_token={Refresh Token}

CARIN IG

The CARIN for Blue Button® Framework enables third party applications to call FHIR APIs for returning Medicare Advantage and Part D claims and enrollment data. This implementation guide contains the specifications for the FHIR Patient, Coverage, ExplanationOfBenefit, and Organization resources profiled from CARIN IG for Blue Button® (http://hl7.org/fhir/us/carin-bb/index.html).

Access our FHIR API library for more information about each available resource.

Error handling

All of our APIs throw errors in the following JSON format:

{
	"errors": [
		{			
			"title" : "ERROR_MESSAGE",
			"status" : "HTTP_STATUS_CODE",
			"traceId" : "UUID"
			
		}
	]
}

Support

Do you have questions or problems? We are happy to help! Please check our FAQ page for answers to frequently asked questions. If you cannot find the answer you need, please contact us and we will get back to you as soon as possible.