- Home
- Departments
- Behavioral Health Services
- Patient Access and Provider Directory API
Patient Access and Provider Directory API
Interoperability and Patient Access Rule
The Centers for Medicare & Medicaid Services (CMS) created the Interoperability and Patient Access Rule to make it easier for you to access your health information and connect it to the apps and services that you choose. This rule helps ensure that your health data can move safely and securely between your providers, health plans, and digital tools.
Application Programming Interface (API)
The Interoperability and Patient Access Rule requires an Application Programming Interface (API) for Patient Access and for the Provider Directory.
The Patient Access API provides:
• Easy Access to Your Health Data: You can use secure apps to view your health records, claims, test results, and medications.
• Greater Transparency: See which providers are in your network and compare services easily.
• More Control: Decide who can access your health information and use it to better manage your care.
• Faster Updates: Most information is available within one business day after it is processed or received.
The Patient Access API ensures that your data is safe, and that only you (or someone you authorize) can approve access. Through the process, you can
view claims, diagnoses, lab results, medications, and more, usually within one (1) business day after it is available to us.
The Provider Directory API provides information about ACBHS network providers, including Behavioral Health providers, hospitals, and any other providers or facilities for that deliver Medi-Cal services for ACBHS.
Links to Alpine County APIs
ACBHS has partnered with Credible for the required APIs:
Patient Access API: : For more information or to request access to the ACBHS Patient Access API, refer to this site: Swagger
Provider Directory API: For information about the ACBHS Provider Directory API, refer to this site: Credible FHIR — Qualifacts.
Member Educational Resources
Health Organizational Standards for Third-Party Apps
Publicly-accessible links to educational resources are provided to ensure that members understand how to protect the privacy and security of their health information.
The following are a list of health organizational standards that third-party health apps must meet and members must understand in signing up for access to these apps:
• The importance of understanding the privacy practices of third-party applications; steps that members may consider taking to help protect their privacy and security; overview of types of organizations or individuals that are not likely to be HIPAA-covered entities: Office of the National coordinator for Health Information Technology: Guide to Privacy and Security of Electronic Health Information
• Oversight by the Federal Trade Commission (FTC) on third party and mobile health app as well as access to submit complaints (see Oversight section below): Mobile Health App Interactive Tool | Federal Trade Commission (ftc.gov)
• Oversite by HHS Office for civil rights (OCR) on third party and mobile health apps as well as access to submit complaints: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html and https://www.hhs.gov/ocr/complaints/index.html
• Health and Human Services Third Party App API member access rights and compliance: The access right, health apps, & APIs | HHS.gov
General HIPAA-Covered Entities, Non-Entities, and Oversight Agencies
HIPAA covers entities that handle protected health information (PHI).
Covered entities include:
• Healthcare Providers: Doctors, hospitals, clinics, psychologists, and pharmacies.
• Health Plans: Health insurance companies, HMOs, company health plans, and government programs like Medicare and Medicaid (including ACBHS).
• Healthcare Clearinghouses: Entities that process nonstandard health information into a standard, interoperable format.
Entities or individuals that generally are not covered by HIPAA include:
• Employers: Employers, except in certain situations related to employee health plans.
• Life Insurers: Companies providing life insurance.
• Schools: Most schools, unless they provide healthcare to students through a separate healthcare provider.
Oversight Responsibilities:
• Office for Civil Rights (OCR): Part of the U.S. Department of Health and Human Services (HHS), OCR enforces HIPAA privacy and security rules for covered entities. It investigates complaints and conducts audits to ensure compliance.
• Federal Trade Commission (FTC): The FTC plays a role in enforcing privacy and security standards for non-HIPAA-covered entities, such as mobile health apps and health-related websites. It promotes consumer protection and addresses deceptive or unfair practices.
Complaints for HIPAA Violations or Other Privacy/Security Violations:
• Submitting a Complaint to OCR: If you believe your rights under HIPAA have been violated by a covered entity, you may file a complaint with OCR:
o Online: Visit the OCR Complaint Portal on the HHS website.
https://ocrportal.hhs.gov/ocr/smartscreen/main.jsf
o Email: Email your complaint to OCR at: OCRComplaint@hhs.gov
o USPS Mail: Send a written complaint to OCR:
Centralized Case Management Operations
U.S. Department of Health and Human Services
200 Independence Avenue, S.W.
Room 509F HHH Bldg.
Washington, D.C. 20201
• Submitting a Complaint to FTC: If you believe your rights have been violated by a non-HIPAA-covered entity, you may file a complaint with the FTC:
o Online: Visit the FTC Complaint Assistant tool: https://reportfraud.ftc.gov/assistant
o Phone: Call the FTC Consumer Response Center:
1-877-382-4357
In both cases, providing detailed information about the incident will help the agencies investigate and address the complaint effectively. Keep in mind that the OCR and FTC work collaboratively to ensure comprehensive oversight and protection of health information privacy.
County Security and Access Controls
ACBHS actively takes the following steps to help protect the privacy and security of your health information:
• Compliance to privacy and data sharing guideline measures set forth by DHCS, federal, and state governing bodies
• Regularly sets audits for controls of data and privacy by governing boards and independent auditors
• Secures internal health data, HIPAA-compliant vendor communications, and multifactor authentication
• Engages multiple tiers of software security monitoring and required vendor security software assessments/clearances
• Regularly reviews and audits disaster and data loss recovery plans
• Employs secure network communication protocols
County API Policy and Procedure
1. API Policy and Procedure - Final 10.08.25
Additional Information or Assistance
If you have questions about your health data or how to use the API tools, contact ACBH directly at 1-800-318-8212.
https://alpinecountyca.gov/764/Patient-Access-and-Provider-Directory-AP