Anthem Patient Access API Registration Request Form

This form is intended to facilitate inbound requests from application developers to register to connect with Anthem’s Patient Access API Production Environment. Under the Terms of Service described in Exhibit A, individuals holding themselves out as a developer’s authorized representative agree that their digital representations have the power to contractually obligate the developer organization.

The information captured below is for the purposes of processing this request, completing an appropriate and documented security risk analysis, and populating some of the displays that members see when they participate in the OAuth process. Any questions can be directed to InteroperabilityWorkgroup@Anthem.com.

Contact Information
Application Information
Questionaire
Data Questions
Education, Certificates and Connections
Acceptance of Terms of Service

Contact Information
Application Information
Questionaire
Data Questions
Education, Certificates and Connections
Acceptance of Terms of Service

Contact Information
Application Information
Questionaire
Data Questions
Education, Certificates and Connections
Acceptance of Terms of Service

Contact Information

Select A Date

Developer And Entity Information

Legal Name For Developer Requesting An API Connection

Type Of Legal Entity Of The Requestor (E.G. Corporation, Partnership, LLC, Sole Proprietor)

Under What Legal Jurisdiction Is The Entity Organized

Physical Address Of Entity (Not A P.O. Box; Home Address For A Sole Proprietor)

URL For Entity’s Corporate Website

Registrant’s Primary Business Point of Contact

Contact’s Name

Contact’s Job Title

Contact’s Phone Number

Contact’s Email Address

Registrant’s Primary Technical/Developer Point of Contact

Contact’s Name (Optional)

Contact’s Job Title (Optional)

Contact’s Phone Number (Optional)

Contact’s Email Address (Optional)

New Patient Access API Registration

interoperabilityworkgroup@anthem.com,aman.nimje@carelon.com

https://www.anthem.com/japi/mail/sendEmail

Application Information

What Is The Name(s) Of The Application?

If Different From the Developer, What’s The Legal Name Of The Owner Of The Application, According To Its Terms Of Service And Privacy Policy? (Optional)

Scope Of The Data (For What Anthem Consumers Are You Supporting)

Purpose Of The Data (How Is The Data Being Used?)

Will You Direct Any Data To Any Non-US Applications?

As Applicable, What Is The Application’s:

Redirect URLs

Homepage URL (Optional)

iOS Store Link (Optional)

Android Link (Optional)

Legal Terms Of Service URL (Optional)

Will Any Third-Party Vendors Be Working On Behalf Of The Entity/Application For Development And/Or Testing Purposes?

*Voluntary Attestation Workflow:

The individual completing this questionnaire should have an understanding of (1) federal and state laws and regulations applicable to the health data and the Organization offering the Application, (2) the Application’s data practices, and (3) the Application’s terms of service and privacy policy.

Completed By:

Name

Title

Date

Phone Number

Email Address

Is The Organization Offering The Application^1,2

A HIPAA-covered entity

A HIPAA business associate

Not a HIPAA-covered entity or a HIPAA business associate

Do The Application’s Data Practices Follow The CARIN Alliance Trust Framework And Code Of Conduct1 ?

Yes

Has The Application Been Registered On The CARIN Alliance’s MyHealthApplication.com?

Yes (Skip to Questions About Certifications section)

https://www.carinalliance.com/our-work/trust-framework-and-code-of-conduct/
The CARIN UX Compliance Guide, accessible via https://carinuxguide.arcwebtech.com, offers guidance for delivering education to consumers about safeguarding their health data and informing themselves about an application’s privacy practices.

Questionaire

Transparency

The Organization Includes A Publicly Accessible Link To The Application’s Privacy Policy On Its Website And Through The Application. (Optional)

Yes

The Privacy Policy Covers Collection, Use, And Disclosure Of Personal Data. (Optional)

Yes

The Privacy Policy Covers Collection, Use, And Disclosure of De-identified Information. (Optional)

Yes

The Organization Provides Updates When Privacy Policies Have Changed, And Provides Individuals With The Option To Re-Affirm Consent Or To Withdraw Consent. (Optional)

Yes

The Privacy Policy is clear about what happens to Data when Consent is re-affirmed or withdrawn. (Optional)

Yes

The Privacy Policy is clear about what happens to Data is the Application has a change in ownership or The Organization (Or Application Developer, If Different From The Organization) Goes Out Of Business. (Optional)

Yes

Questions About Data Collection

The Privacy Policy Is Clear About The Scope Of Information Collected By The Application (Optional)

Yes

The Application Only Collects Personal Data Through External Data Connections With Users’ Consent. (Optional)

Yes

The Application Only Collects Personal Data With Users’ Consent. (Optional)

Yes

After Collecting Personal Data From An External Source, The Application: (Optional)

Continues to collect new Personal Data as it becomes available until the user revokes consent.

Requires consent each time before collecting additional Personal Data from that source.

Questions About Data Uses By The Application

The Privacy Policy Is Clear About The Scope Of Permitted Uses Of Personal Data (Optional)

Yes

The App Developer (If Different From The Organization) And All Other Third-Party Service Providers Are Contractually Obligated To Follow The Privacy Policy. (Optional)

Yes

The Organization Prohibits Uses Of Personal Data And De-Identified Information Except With Consent From The Individual. (Optional)

Yes

The Organization Collects A Separate Consent Before Marketing Third-Party Goods Or Services To An Individual. (Optional)

Yes

Questions About Disclosures Of Data To Third Parties

The Privacy Policy Is Clear About The Scope Of Permitted Disclosures, When The Application Will Collect An Informed, Proactive Consent Before Sharing A User’s Data With Third Parties And When Disclosures Are Permitted Without An Informed, Proactive Consent (For Example, As Required By Law Or In Connection With The Business Transfer). (Optional)

Yes

The Privacy Policy Requires The Application To Collect A Separate Consent If The Purpose Of Disclosure Is To Facilitate The Marketing Of Goods Or Services To The Individual. (Optional)

Yes

Data Questions

Questions About Individual Rights

The Application Supports The Right Of Users To Access Their Data. (Optional)

Yes

The Application Supports The Right Of Users To Easily Change Their Consent Options. (Optional)

Yes

The Application Supports The Right Of Users To Close Their Account And Delete Their Data And Is Clear About Situations When Data Deletion May Not Be Feasible. (Optional)

Yes

Questions About Data Security

The Organization And App Developer (If Different From The Organization) Protects Identifiable Health Information By Implementing Security Safeguards Including Encryption Of Data In Transit And At Rest And Internal Accountability Measures Such As Access Controls And Audit Logs. (Optional)

Yes

The Organization And App Developer (If Different From The Organization) Comply With Applicable Breach Notification Laws. (Optional)

Yes

The Organization And App Developer (If Different From The Organization) Use Provider Portal Credentials (Compliant With SMART On FHIR Standards) Or A Digital Identity Credential That Meets NIST Assurance Level 2. (Optional)

Yes

The Organization And App Developer (If Different From The Organization) Prohibit Re-Identification Of De-Identified/Anonymized/Pseudonymized Data. (Optional)

Yes

Questions About Accountability

The Organization And App Developer (If Different From The Organization) Comply With All Applicable Federal And State Laws. (Optional)

Yes

The App Developer Regularly Trains Its Workforce On Compliance With The Data Practices Covered By The CARIN Code Of Conduct. (Optional)

Yes

Education, Certificates and Connections

Questions About Consumer Education²

The Application Includes Educational Resources To Help Users Understand The Application’s Data Practices, And Steps They Can Take To Protect Their Privacy And The Confidentiality Of Their Personal Data. (Optional)

Yes

2.The CARIN UX Compliance Guide, accessible via https://carinuxguide.arcwebtech.com, offers guidance for delivering education to consumers about safeguarding their health data and informing themselves about an application’s privacy practices.

Questions About Certifications

In The Last 12 Months, The Application’s Data Practices Has Been Reviewed By An Independent Assessment Organization For Compliance With The Application’s Privacy Policy And AICPA Privacy Principles, And Is Documented By A Written SOC-2 Certification Report.

Yes

In The Last 12 Months, The Application’s Data Practices Have Been Certified By An Independent Assessment Organization For Compliance With The HITRUST CSF.

Yes

The Developer Will Immediately Suspend The Application’s Connections With The API Endpoints If Its Data Practices Are Not Consistent With Its Applicable SOC-2 Or HITRUST CSF Certifications.

Yes

Not Applicable

Questions About Other FHIR-Based API Connections

The Application Has Been Approved By The U.S. Centers For Medicare And Medicaid Services For Access To Personal Data Through The CMS Blue Button 2.0 APIs.

Yes

The Application Has Been Approved By U.S. Veterans Administration For Access To Personal Data Through The VHA’s Lighthouse APIs.

Yes

The Application Is Currently Registered To Access Personal Data From Other Health Care Organizations, Through Open (Non-Proprietary) Or Proprietary FHIR-based APIs.

Yes

The Organization Or App Developer Has Not Been Permanently Banned From Connecting With The FHIR-Based APIs Of Any Health Care Organization.

Yes

Acceptance Of Terms Of Service

By typing your name and contact information in the forms below, you accept and agree to the Terms of Service in Exhibit A on behalf of the Developer entity identified above and represent you are duly authorized to do so by the Developer.

Developer Name

Contact Email Address

Terms Of Service For API Access

Parties To The API Access Terms Of Services:

These Terms of Services, (the “Agreement”) is entered into by and between the Party accepting these Terms of Service (“Developer”) for and on behalf of its Affiliates and [Anthem, Inc.] for and on behalf of its Affiliates health benefit plan affiliates (“API PROVIDER”). Developer and API Provider may each be referred to as a “Party” or collectively as “Parties.”

Overview

Developer is interested in accessing certain APIs offered by API Provider along with associated documentation consistent with the following terms and conditions.

Scope

By accessing or using APIs and other developer documentation and services, Developer agrees to the terms below, as well as any applicable laws and regulations (collectively, Terms).

Data Rights and Usage

Accounts/Registration

If Developer is using the API PROVIDER APIs or services on behalf of an entity, Developer represents and warrants that Developer has authority to bind that entity to the Terms and by accepting the Terms, Developer is doing so on behalf of that entity (and all references to “Developer” in the Terms refer to Developer and that entity). In order to access the API PROVIDER APIs Developer may be required to provide certain information (such as identification or contact details) as part of the registration process for the APIs, or as part of your continued use of the APIs. Any registration information Developer gives to API PROVIDER must be accurate and up to date and Developer must inform API PROVIDER promptly of any updates so that we can keep Developer informed of any changes to the API PROVIDER APIs or the Terms, which may impact Developer’s use of the APIs. Any Developer credentials (such as passwords, keys, tokens, and client IDs) issued to Developer by API PROVIDER are intended to be used only by Developer and to identify any software which Developer is using with the APIs. Developer agrees to keep its credentials confidential and make reasonable efforts to prevent and discourage other persons or entities from accessing or using its developer credentials. Developer credentials may not be embedded in open source projects. Developer is responsible to ensure access to and use of APIs is compliant with this agreement when such access and use is made with Developer’s credentials, whether or not such use is made by Developer. Developer may only access (or attempt to access) the API PROVIDER APIs by the means described in the documentation of those APIs. If API PROVIDER assigns Developer credentials, Developer must use them with the applicable APIs. API PROVIDER may revoke a developer’s credentials for inappropriate use as determined by API PROVIDER in its sole discretion. If Developer is granted production application credentials for the APIs, Developer may only use those credentials with the application that passed the production access review process. API PROVIDER may revoke production application credentials if Developer use or attempt to use them with another application or product that has not been reviewed and approved by API PROVIDER.

Activities and Purposes

Developer may use the API PROVIDER APIs to develop and provide a service to search, display, analyze, retrieve, view and otherwise obtain certain information or data from API PROVIDER as specifically provided for in the specifications and documentation for the specific API (“Permitted Purposes”).

Privacy

Information or data about individuals available from the API Provider APIs may be subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other laws, and require special safeguarding. Developer must comply with all applicable laws regarding the protection, use and disclosure of information obtained through an API.

Developer further acknowledge that when records regarding an individual are obtained through an API, Developer has all required right, authorizations and consent from such individual, and Developer may not disclose any information or data regarding the individual to any other individuals or third parties without specific, explicit consent from the individual or his or her authorized representative, unless otherwise allowed by law.

IN WITNESS WHEREOF, By Developer’s use of the APIs and acceptance to these Terms of Service API Provider and Developer execute this Agreement to be effective upon acceptance of the terms by Developer

Terms Accepted Electronically By Developer

Terms Accepted