Blue Cross and Blue Shield of Minnesota offers two APIs so you can build applications for our members.
The Patient Access API lets Blue Cross members access claims, drug formularies and a set of clinical data. This API is secured by SMART on FHIR. To continue, you’ll need to create a developer account.
The Provider Directory API lets Blue Cross members access our provider directory. There is no security required to access this API.
Getting Started
The SMART App Launch Framework connects third-party applications to the Patient Access API. it is based on the OAuth 2.0 specification and the OpenID Connect Core 1.0 Standard.
Currently the Blue Cross FHIR authorization server supports the standard OAuth 2.0 and OIDC web application authorization flow. It does not support the Proof Key for Code Exchange (PKCE) authorization flow.
If your application is dependent on a PKCE authorization flow, please reach out to us and we will prioritize it.
After registering your application, you will get a client ID and client secret (keep this secured).
We have provided a link to our well-known endpoint, which details the authorization server's capabilities. Keep in mind our developer sandbox and our production environments each have their own FHIR authorization server.
How it Works
Using your application, a Blue Cross member will want to authorize and consent to your application as a valid recipient of their highly confidential healthcare information.
Your application will send a request to the Blue Cross FHIR authorization server asking for authorization.
The Blue Cross FHIR authorization server will redirect the Blue Cross member to a login page where they will authenticate themselves and consent to allowing your application access to their highly confidential healthcare information.
After authorization and consent is completed, the Blue Cross FHIR authorization server will redirect back to your application (at the redirect URI you provided during registration of your application). The authorization code will be included in the query parameters.
Your application will then use the authorization code (and your client secret) to ask for an access token (JWT).
Once you have the access token you will include it on all FHIR requests made on behalf of the Blue Cross member. The access token will appear in the request header as an authentication bearer token.
The Supported Scopes
Scope
Grant
openid
Permission to retrieve information about the current logged-in user
profile
Permission to retrieve information about the current logged-in user
fhirUser
Permission to retrieve information about the current logged-in user
launch/patient
When launching outside the EHR, ask for a patient to be selected at launch time
patient/*.read
Permission to read any resource for the current patient
offline_access
Request a refresh_token that can be used to get a new access token to replace an expired one, even after the end-user no longer is online after the access token expires
The Supported Capabilities
launch-standalone
support for SMART’s Standalone Launch mode
client-confidential-symmetric
support for SMART’s confidential client profile (symmetric client secret authentication)
sso-openid-connect
support for SMART’s OpenID Connect profile
context-standalone-patient
support for patient-level launch context (requested by launch/patient scope, conveyed via patient token parameter)
permission-offline
support for refresh tokens (requested by offline_access scope)
permission-patient
support for patient-level scopes (for example, patient/Observation.read)
Putting this Together
Your application will send a request to the BCBS-MN FHIR authorization server asking for authorization.
Application Request
GET https://xxxx.bluecrossmn.com/fhir/authorize?response_type=code&client_id=YOUR_CLIENT_ID&scope=launch/patient%20patient/*.read%20offline_access%20fhirUser%20openid&redirect_uri=http://YOUR_HOST:3000/redirect/callback&aud=https://api-xxxx.bluecrossmn.com/fhir&state=dev&nonce=d1bgsv478gr
In this example, your application is asking the BCBS FHIR authorization server for several things:
response_type=code
an authorization code
redirect_uri
the location where the authorization code should be delivered. This must match a location you specified when registering your application.
scope=launch/patient
a patient context
patient/*.read
and the ability to read all the patient's information
fhirUser%20openid
your application wants to know who is using the application, it may not be the patient
The BCBS-MN FHIR authorization server will re-direct the BCBS-MN customer to a login page where they will authenticate themselves and consent to allowing your application access to their highly confidential healthcare information. URL
https://xxxx.bluecrossmn.com/member/index.html
Once here several other pages and redirects may occur, your application should not care.
Upon successful completion of the authorization and consent, the BCBS-MN FHIR authorization server will redirect back to your application (at the redirect URI you provided during registration of your application). The authorization code will be included in the query parameters. URL
The response contains a lot of information you will want to be aware of.
token_type
the type of token
access_token
the token itself
expires_in
when the token expires
scope
the scopes your application was granted, these may or may not match the scopes you requested
refresh_token
in this example your application requested and was granted a refresh token
id_token
in this example your application requested and was granted an openid token identifying the user using your application
patient
in this example your application requested a patient context, it is provided by the FHIR ID of the patient
Once you have the Access Token you will include it on all FHIR requests made on behalf of the Blue Cross Blue Shield of Minnesota customer. The Access Token will be presented in the request header as an authentication bearer token.
Get
