Overview

Welcome to the Highmark Health Interoperability Developer Portal! Our portal provides access to Highmark Health's APIs based on the Health Level 7® (HL7) Fast Healthcare Interoperability Resources (FHIR®) 4.0.1 standards.

This Developer Portal enables access to APIs for both Highmark Health Organization and the Blue Cross Blue Shield Wyoming Organization.

We provide seven APIs for Highmark Health Organization, which will help you to build applications for Highmark Health customers and providers based on the following:

1.  The Provider Directory API will enable you with the ability to query our provider information. The Provider Directory API includes provider names, addresses, phone numbers, hour of operation and specialties. To review more detail about the Provider Directory API, visit our API Catalog.

2.  The Sandbox Patient Access API will enable you to test read our sample patient information in your application. The Sandbox Patient Access API includes sample adjudicated claims data, encounters with capitated providers, and clinical data, including laboratory results, formulary information or information about covered outpatient drugs and preferred drug lists must be viewable to the member. For more information about our Sandbox Patient Access API, visit our API Catalog.  Also, the sandbox version of the Patient Access API does not require OAuth credentials, it simply utilizes API Key.

3.  The Patient Access API will enable you to read our patient information in your application. The Patient Access API includes adjudicated claims data, encounters with capitated providers, and clinical data, including laboratory results, formulary information or information about covered outpatient drugs and preferred drug lists must be viewable to the member. For more information about our Patient Access API, visit our API Catalog.

4.  The ESI Provider Directory> API will allow you to read Highmark pharmacyinformation. It includes pharmacy names, addresses, phone numbers, and type, such as compounding and retail pharmacies.  For more details visit our API Catalog. (Note that Express Scripts, Inc. – ESI – is the pharmacy benefits manager (PBM) - for Highmark, Highmark Delaware, and Highmark West Virginia.)

5.  The ESI Patient Access API will enable you to query for clinical information from the Highmark PBM, ESI, including allergy tolerance, conditions, observations, and procedures.  For more information visit our API Catalog.

6.  The ESI Formulary API will allow you to read Highmark information about covered outpatient drugs and preferred drug lists from the Highmark PBM, ESI.  For more details visit our API Catalog.

Additionally, we provide three APIs for BCBS Wyoming Organization, which will help you to build applications for BCBS Wyoming customers and providers based on the following:

1.  The Sandbox Patient Access API will enable you to test read our sample patient information in your application. The Sandbox Patient Access API includes sample adjudicated claims data, encounters with capitated providers, and clinical data, including laboratory results, formulary information or information about covered outpatient drugs and preferred drug lists must be viewable to the member. For more information about our Sandbox Patient Access API, visit our API Catalog.  Also, the sandbox version of the Patient Access API does not require OAuth credentials, it simply utilizes API Key.

2.  The Patient Access API will enable you to read our patient information in your application. The Patient Access API includes adjudicated claims data, encounters with capitated providers, and clinical data, including laboratory results, formulary information or information about covered outpatient drugs and preferred drug lists must be viewable to the member. For more information about our Patient Access API, visit our API Catalog.

3. The Prime Explanation of Benefits API will enable you to retrieve pharmacy claims information from the Prime Therapeutics (Prime), the PBM for Blue Cross Blue Shield Wyoming. For more details visit our API Catalog.

You'll find several resources on the portal to help you create your applications. Our Developer Onboarding Guide provides a Quick Start Guide along with security configuration to help you get your developer account registered and your application easily authorized.

Quick Start Guide

The following steps describe how you can register your developer account and get your application setup, so you can begin using our Interoperability APIs.

1.  Review our API Catalog, there you will find documentation provided about the APIs.

To visit the API Catalog, click APIs from the top menu or click the The Catalog provides documentation of the API interface and each of the Resource Methods available. The API Catalog also enables the developer to download a Open API Specification, formerly Swagger It is not necessary to create a developer account to have access to this information.

2.  Register for a Developer Account, sign up as a developer to begin the process of creating an API.

Click the Step 1 Register hyperlink or navigate from the Sign In menu item.
Completing the registration is easy:

Use the Highmark Health Organization code e18f9d to complete the registration for access the Highmark Health CMS APIs.

Use the BCBS Wyoming Organization code 605ea3 to complete the registration for access to BCBS Wyoming CMS APIs.

3.  Account Activation, you will receive an account activation email confirming your email address.

Be sure to check in your SPAM or junk mail folder if you cannot locate the email in your Inbox. Follow the instructions in your email to access your account.

4.  Application Creation, you will need to register your Application to enable access to our Interoperability APIs.

Click Applications on the top menu. Then click the Create Application hyperlink. Complete the form and select the APIs to which you would like to access. Be sure to read and agree to the Developer Attestation as this will determine if Members receive a warning when trying to access your Application.

5.  Generate API Key, the API Key is required for access to begin accessing our Provider Directory API or the Sandbox Patient Access API.

Select the application and generate an API Key for your application. Navigate to API Keys and click the Edit the Application Click API Keys, then click the Generate button.

6.  Request OAuth Credentials, these will be required for access to our Patient Access API.

Select the application and generate an OAuth Credential for your application. Navigate to OAuth Credentials and click the Edit the Application hyperlink, then click Generate.

Populate the form presented paying close attention to providing the Redirect URLs for your Application. Once finished, click Generate client.

This will be sent to our Security team for review and setup.

Once completed, you will receive a secure email containing your assigned ClientID and Secret.

Until this process completes, your OAuth credentials will show pending status.

7.  Invoke Desired APIs.

Once your application has the necessary credentials, either API Key or OAuth access token, you can invoke the APIs.

Our Provider Directory and Sandbox Patient Access APIs only require the API Key to be able to access them, no OAuth is required.

We kindly request that developers first test with the Sandbox Patient Access API in our sandbox environment prior to using the production version.  The sandbox version is secured using API Key.  As a third party developer, you can self-generate the API Key for your application as described above and then utilize it to test with the Sandbox Patient Access API.  The response returned by our Sandbox Patient Access API only contain example data and do not reflect information of a real member.

If you happen to encounter any issues during developer registration or the application registration process, please refer to our Support section below in the document.

Authorization Overview

Our Interoperability APIs implement the FHIR SMART App Launch Framework utilizing OAuth 2.0 and OpenID Connect.  We implement the OAuth 2.0 Proof Key for Code Exchange (PKCE) enhanced authorization flow to enable the most secure access to our APIs.

While our Provider Directory API does not require OAuth and simply utilizes your registered application’s API key, in accordance with the mandate for public accessibility, our Patient Access API on will require OAuth.

As described in the Application Registration process above, this is where you will request OAuth credentials to be used by your Application.  If your Application is exposed such that you cannot ensure the privacy of your Client Secret, that will require you to implement our PKCE authorization flow.

We support the following scopes and expect that these will evolve as our FHIR maturity increases:

SMART Scopes

Grant Descriptions

patient/*.read

this SMART scope requests access to read all patient information

Authorization Code Flow With PKCE

Application will initiate the authorization code flow for an individual wishing to access their Highmark Health patient data using the following authorization endpoint:

https://{{domain}}/v3/{{non-prod-env}}/oauth/authorize?response_type=code&state=&client_id={{your_client_id}}&scope={{scope}}&redirect_uri={{redirct_uri}}&code_challenge=&code_challenge_method=S256

Substitute the following in the URI above:

  • Domain: Highmark Health OAuth host by environment
    • Non-prod: cmsoauthqa.hmhs.com
    • Prod: cmsoauth.hmhs.com
  • Client Id: The must be the Client Id that you were assigned upon registration of your application
  • Scope: patient/*.read
  • Redirect URI: This is the uri of your system that you supplied when registering your application. This is the uri expecting the callback from Highmark Health OAuth server
  • Code Challenge: This is generated using your self created Code Verifier (cryptographically created random key you generate for verification)
  • Code Challenge Method: The hash method used in generating the Code Challenge.  We require S256 as it is the more secure approach

Your user will be redirected for login to https://cmsoauth.hmhs.com/v3/signin

After the user authenticates using the displayed Highmark Health Login page with their existing Member Portal UserId and Password and grants access to their patient data for your application, they will be redirected to the URL that you provided with an authorization code.

After your application receives an authorization code, the Application must exchange it for a JWT access token.  Use the following URL to acquire the JWT token:

Non-Wholecare Member Authentication:

Auth URL: https://cmsoauth.hmhs.com/v3/oauth/authorize

Token URL: https://cmsoauth.hmhs.com/v3/oauth/token

Wholecare Member Authentication:

Auth URL: https://cmsoauth.hmhs.com/v5/oauth/authorize

Token URL: https://cmsoauth.hmhs.com/v5/oauth/token

This JWT token will contain the patient_id and approved scopes to be used on your subsequent Patient Access API requests.  The JWT access key should be passed as an Authorization header of type Bearer.

The token request must include the following:

  • Code: The authorization code you received
  • Redirect URI: This is the uri your system is expecting
  • Client Id: The Client Id your application has been assigned
  • Secret: The associated secret for your Client Id
  • Code Verifier: Your cryptographically generated random key for verification of the Code Challenge

Support

Do you need help?  We are here if the need arises.

If you are having an issue related to one of the production APIs, first retest your application in the test environment to ensure your coding is correct before contacting us.

If you still need support or have a question about developer or app registration, please email Highmark Health Developer Support .The email should contain the following information:

  • A description of the issue or your question
  • Indication that issue is in the test environment or production environment (if applicable)
  • The API and the FHIR resource(s) (if applicable)
  • The response code or error message
  • The date and time (including time zone) the error occurred
  • Your contact information

Never include a member’s personal health information in this email. Note that member specific claims issues or authentication issues (e.g., forgotten member portal username or password) will not be resolved through the developer support mailbox. Instead, those will be resolved by contacting the service desk for the member’s health plan.