Identify the payer's Patient Access API endpoint; under CMS-9115 (Interoperability and Patient Access final rule), most large payers are required to expose a FHIR R4 API; many publish their FHIR base URL and SMART configuration publicly.
Implement SMART on FHIR standalone launch as the authentication mechanism; payer Patient Access APIs use OAuth 2.0/SMART to authenticate the member (patient) directly.
After obtaining an access token scoped to the member, query for ExplanationOfBenefit resources: GET [base]/ExplanationOfBenefit?patient=[id] to retrieve claims history.
Query Coverage resources to determine benefit plan details: GET [base]/Coverage?patient=[id] returns active and historical coverage periods, plan identifiers, and subscriber information.
Access clinical FHIR resources if the payer exposes them (some payers surface clinical data from claims and prior authorizations as Condition, MedicationRequest, and Procedure resources).
Handle the payer's specific FHIR profile and extensions; payer FHIR APIs often follow the CARIN Blue Button implementation guide profiles, which extend base FHIR R4 resources with claims-specific fields.
Known gotchas
CMS-9115 applies to CMS-regulated payers (MA, Medicaid, CHIP, QHP); employer-sponsored plans regulated under ERISA have different requirements and may not have a Patient Access API.
Payer FHIR API quality varies significantly; some payers return only claims-derived data with limited clinical coding accuracy; do not use payer API data as the sole source for clinical decision making.
Member authentication at payer portals often involves multi-factor authentication flows that are difficult to automate; Patient Access APIs are designed for member-authorized third-party apps, not backend automation.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp