Confirm your plan type falls under the CMS-0057-F rule (Medicaid managed care, CHIP managed care, or Medicaid FFS using modular MMIS) — Patient Access API compliance was required as of January 1, 2026.
Obtain OAuth 2.0 credentials from the state or managed care entity's developer portal; the API uses SMART on FHIR scopes such as patient/Coverage.read and patient/ExplanationOfBenefit.read.
POST to the token endpoint to obtain a bearer token, then query the Coverage endpoint: GET /fhir/r4/Coverage?patient={patientId} and check the status field for active/inactive.
Parse the Coverage resource for period.start, period.end, payor reference, and class entries that encode plan and group identifiers.
For prior authorization status, query the ClaimResponse or Task resources as exposed by the payer's FHIR server per CMS-0057-F requirements.
Handle 401 (token expired), 403 (missing scope), and 429 (rate limit) errors; refresh tokens use the standard OAuth refresh_token grant.
Known gotchas
Each state Medicaid agency or managed care plan operates its own FHIR server — there is no single national endpoint; you must obtain base URLs from each payer separately.
The Patient Access API requires beneficiary-level consent (individual OAuth authorization), not system-level credentials; bulk population queries are not available through this pathway.
CHIP-only children's programs may have separate FHIR endpoints from the adult Medicaid program even within the same state agency.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp