Get started with our APIs

Welcome!

If you are the type who likes to skip ahead, here is our complete CMS/ONC Patient Access Developer API Documentation.

Here you can find a complete list of the FHIR resources we currently support.

The remainder of this page will focus on the following topics:

  • Get Started: Access Request
  • Next Steps
  • Important Documentation
    • Summary Overview: ABCBS APIs
    • SMART: FHIR & OIDC API
    • CARIN IG
  • Error Handling
  • Support

Get Started: Access Request

Request access by sending an email to EnterpriseIntegrationPlatforms@arkbluecross.com.

Please include to the following information in the request:

  • Company name,
  • Company address,
  • Point of contact (including email and phone),
  • Short description of intent on API use.

Once your request is received, a member of the team will respond with a ticket number for tacking and further information.


Next Steps

Attestation Process

When a team member responds with a ticket number for tracking, they will also include two documents that must be completed before access is granted to the APIs. One will be a security questionnaire and the other an agreement of terms and conditions of use.

After completing and returning these forms, our Enterprise Information Security (EIS) team will review for approval.


Connection, Testing, & Going Live

Once attestation approval has be granted, you will receive client credentials to access the API sandbox environment. It is in this environment you will complete connection and call testing.

After successful testing, notify our API team you’re ready to go live. Once we “push the button” we’ll let you know you’re good-to-go and are live and active!


Important documentation

Summary Overview: ABCBS APIs

Arkansas Blue Cross Blue Shield Interoperability APIs enable Arkansas Blue Cross Blue Shield members to consent to have their data shared with third-party applications. It also allows third-party application owners to connect to provider and pharmacy directories, further referred to as “public non-member specific data.”

Arkansas Blue Cross Blue Shield Interoperability APIs provide the functionality listed below:

  • Enables developers to register member-facing applications.
  • Enables members to provide consent for an application to access their data.
  • Utilizes HL7 FHIR standard for member data, provider directory, and drug formulary; by use of OAuth 2.0 / Open ID Connect standard for member authorization.
  • Utilizes HL7 FHIR standard for sharing public non-member specific data.

Please Note: Documented search parameters are not all inclusive, and that interested developers should request GET [base]/metadata for the full capabilities of the FHIR server.


Capability Statement

The capability statement is a key part of the overall conformance framework in FHIR. It is used as a statement of the features of actual software, or of a set of rules for an application to provide. This statement connects to all the detailed statements of functionality, such as Structure Definitions and Value Sets. This composite statement of application capability may be used for system compatibility testing, code generation, or as the basis for a conformance assessment.

Links to capability statement:

    Sandbox

    https://apipreprod.arkbluecross.com/blueware/V1/FHIR/metadata

    Production

    https://api.arkbluecross.com/blueware/V1/FHIR/metadata


SMART: FHIR & OIDC API

Arkansas Blue Cross and Blue Shield implements OpenID Connect (OIDC) in conjunction with the SMART on FHIR® standalone patient app launch (http://www.hl7.org/fhir/smart-app-launch/). The specification provides a framework for an OpenID Provider (OP) to securely convey an authenticated user’s identity to relying parties (RPs), and in turn the RPs will convey the identity to the FHIR APIs.


Authentication Request

An Authentication Request is an OAuth 2.0 Authorization Request that requests that the End-User be authenticated by the Authorization Server.

Authorize endpoints:

    Sandbox

    GET     https://apipreprod.arkbluecross.com/oidc/oauth2/authorize?client_id={Client Key}&redirect_uri={Client’s preregistered redirect uri}&response_type=code&state={Opaque value used to maintain state}&nonce={Optional case sensitive string}&scope=+launch/patient+patient/*.read&aud=https://apipreprod.arkbluecross.com/

    Production

    GET     https://api.arkbluecross.com/oidc/oauth2/authorize?client_id={Client Key}&redirect_uri={Client’s preregistered redirect uri}&response_type=code&state={Opaque value used to maintain state}&nonce={Optional case sensitive string}&scope=openid+launch/patient+patient/*.read&aud=https://api.arkbluecross.com/


Redirect URI

Client specified redirection URI to which the OP Authentication response will be sent.

Query Parameters in Redirect URI:

  • code (Authorization code to be exchanged for bearer token.)
  • state (State code value from the Authorization Request.)

Token Request

A client makes a Token Request by presenting its Authorization Grant (in the form of an Authorization Code) to the Token Endpoint. Among other attributes, the token endpoint response body will include an access token, refresh token, and an ID JSON Web Token (JWT). The ID Token shall be submitted in the Authorization HTTP header when requesting the FHIR APIs.

Sandbox Token Endpoint

  • POST    https://apipreprod.arkbluecross.com/oidc/oauth2/token/
  • Headers
    • Accept: application/json
    • Content-Type: application/x-www-form-urlencoded
    • Authorization: Basic{Base64 Encoded Sandbox Credentials}
  • Token Request Body with Authorization Code: client_id={Client Key}&grant_type=authorization_code&redirect_uri={Client’s preregistered redirect uri}&code={Authorization Code}
  • Token Request Body with Refresh Token: client_id={Client Key}&grant_type=refresh_token&refresh_token={Refresh Token}

Production Token endpoint

  • POST    https://api.arkbluecross.com/oidc/oauth2/token/
  • Headers
    • Accept: application/json
    • Content-Type: application/x-www-form-urlencoded
    • Authorization: Basic{Base64 Encoded Sandbox Credentials}
  • Token Request Body with Authorization Code: client_id={Client Key}&grant_type=authorization_code&redirect_uri={Client’s preregistered redirect uri}&code={Authorization Code}
  • Token Request Body with Refresh Token: client_id={Client Key}&grant_type=refresh_token&refresh_token={Refresh Token}

CARIN IG

The CARIN for Blue Button® Framework enables third party applications to call FHIR APIs for returning Medicare Advantage and Part D claims and enrollment data. This implementation guide contains the specifications for the FHIR Patient, Coverage, ExplanationOfBenefit, and Organization resources profiled from CARIN IG for Blue Button® (http://hl7.org/fhir/us/carin-bb/index.html).

For more information about available resources, visit our FHIR API library.


Error handling

All of our APIs errors are in the following JSON format:

    
{
    "errors": [
    {			
        "title" : "ERROR_MESSAGE",
        "status" : "HTTP_STATUS_CODE",
        "traceId" : "UUID"
    }
    ]
}

Support

Still have questions? Check out our FAQs Page.

Need assistance? Reach out to us at EnterpriseIntegrationPlatforms@arkbluecross.com.