As adoption of the Blue Button 2.0 API (BB2.0 API) grows, the CMS Blue Button team continues to look at ways to improve the API and stay current with evolving standards. A primary goal for CMS with the BB2.0 API is to help beneficiaries make more informed choices about the applications they use and the data they share. To enhance the security and privacy posture for Medicare beneficiaries using the BB2.0 API, we are pleased to announce the following changes to our service:
- New requirements for third-party applications seeking access to Medicare claims data through the BB2.0 API, described below.
- A feature enhancement to enable beneficiaries to choose whether they want to share their demographic information with a given application (more information on this enhancement available here).
We’ll be rolling out new requirements and modifying the process by which the CMS BB2.0 API team considers applications for production access to provide more clarity around our expectations for what an application needs to do to gain production access to the API. We expect this new documentation and process will lead to faster onboarding of third-party applications and ultimately improve the security and privacy of beneficiary data.
The new requirements consist of the following documents:
- A production access user guide that describes our general expectations around what information applications will need to detail in their privacy policies and terms of service, how we expect applications to ensure beneficiaries stay informed about the privacy and security of their data, and the production access application process for third party applications seeking access to the BB2.0 API.
- A production access checklist that will help organizations know what they need to do to prepare their production access application. Each application will have to adhere to the guidelines in the checklist to gain production access. We’ll review each application’s answers as part of the application’s demo to the BB2.0 API team.
- Updated BB2.0 API terms of service, which now align more closely with the privacy and security features we expect to see in the privacy policies and documentation of third-party applications using the API. Updates include changes to modal verbs throughout, such as applications “must” display the attribution notice within the application rather than “shall,” and the addition of a section indicating that applications agree to use the API consistent with our framework of transparency, consent, use and disclosure, individual access, security, data quality and accountability.
Effective today, applications seeking production access to the BB2.0 API will be required to adhere to the requirements outlined in the user guide, checklist, and updated terms of service.
Existing production applications will have until March 31st, 2020, to adhere to the new requirements and new terms of service, and meet with the CMS BB2.0 API team to demonstrate adherence to the new requirements.
What does this mean for existing production applications?
Organizations with applications that are currently in production will continue to have access to Blue Button under the existing terms of service until March 31st, 2020. However, before March 31st, 2020, an organization currently in production must review the new terms of service, user guide, and checklist, and seek re-approval from the CMS team to demonstrate adherence to the new requirements in order to maintain access to the API. Once an organization believes it is fulfilling all items detailed in the user guide and checklist and adheres to the new terms of service, they should email firstname.lastname@example.org to set up a meeting with the CMS team to review.
Every application currently in production will require re-review to ensure compliance with the new requirements by March 31st, 2020. Many apps may already comply with, or even exceed, our new requirements - and we’re committed to working together to make the re review process as easy as possible. You can use our guides, mentioned above, to prepare and you can also reach out to us with any questions or concerns by contacting the BB2.0 email, above.
Once your app is ready for a re-review meeting submit your request for an “application review meeting” via email to email@example.com.
What does this mean for applications looking to request production access to Blue Button for the first time?
Effective 11/14/2019 (today), organizations seeking production access to the API must adhere to the requirements detailed in the user guide, checklist, and updated terms of service. In order to gain production access, an organization should start by reviewing the updated terms of service, user guide, and checklist. Once an organization believes it is fulfilling all the requirements detailed in the checklist and is adherent to the new terms of service, they should email firstname.lastname@example.org to set up a production access demonstration meeting with the CMS team.
We are confident this new process and requirements will result in a faster onboarding process and more robust security and privacy practices for our third-party applications and ultimately (and most importantly) result in a better experience and increased privacy and security for Medicare beneficiaries.