Technical Interoperability Guidelines

Antidote Health Interoperability Overview

Antidote Health's Interoperability APIs are developer-friendly, FHIR-based APIs that enable third-party applications and vendors to connect their applications to Antidote Health patient and provider information.

Interoperability APIs enable Antidote Health members to consent to share their data with a third-party application of their choosing. These APIs also enable third-party application owners to connect to provider and pharmacy directories or publicly available data.

API Technology and Functionality

Authorization / Authentication

To use the Antidote Health interoperability APIs, a developer must register their application or portal through emailing the Interoperability group interoperability@antidotehealth.com. During this process, you will be required to complete a questionnaire about the purpose of your application's purpose and business details.

Once registered, an application and point of contact are given a client ID and a client secret. The secret should only be used if it can be kept confidential, such as communication between your server and the Antidote Health interoperability APIs.  

Supported Implementation Guides:

Antidote Health supports the following implementation guides:

Production Access:

Production applications with a need to access Public APIs (formulary, provider directory, and pharmacy directory) will still require registration but will be automatically approved. Production application requests for Patient Access APIs will require review from our security and compliance team prior to approving access. Our security and compliance team will reach out with any questions during this review process.

Authorization server URL documentations are shared after successful organization registration and approval.

For production application requests, please send an email with your contact information to: interoperability@antidotehealth.com.

App Privacy:

Selecting an App and Safeguarding Personal Information

As with any interaction over the internet, these tremendous benefits are not without some level of risk. Antidote takes your privacy and the security of your health information as seriously as you do. Antidote safeguards your data throughout the process of sharing it in several ways, including using challenge questions and multi-factor authentication to confirm you - and no one else - can access and share your data. It is important to understand that once your data is shared with a 3rd party application, Antidote is no longer responsible for the security of that data. This is why it is important to read the privacy and security policies for any application you choose to share your data with, to ensure you understand how it is protected and used by that specific, non-Antidote application. When selecting a third-party application, carefully review the application’s privacy practices, including the application’s data sharing policies and whether the application uses challenge questions and multi-factor authentication to confirm your identity.

As a health plan, Antidote is a Covered Entity as defined by Health and Human Services and must protect your information under HIPAA. Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards. Many organizations that have health information about you do not have to follow these laws.

Non-Antidote applications are not always considered as a part of Covered Entities and may not be subject to HIPAA. However, the FTC enforces the Health Breach Notification Rule, that requires certain organizations and Apps not covered by HIPAA to notify their customers, the FTC, and, in some cases, the media, if there’s a breach of unsecured, individually identifiable health information. The FTC has made it clear that makers of health apps, connected devices, and similar products must comply with the Rule. The U.S. Department of Health and Human Services (HHS) OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, and the Patient Safety Act and Rule. You can find more information about patient rights under HIPAA and who is obligated to follow HIPAA here:

Reporting Identity Theft and Fraud

If you believe a non-Antidote application that you've shared your data with is misusing that information in violation of their stated privacy policy, contact the Federal Trade Commission to investigate the matter by going to ReportFraud.ftc.gov or calling 877-382-4357.  If you believe the privacy of your health care data has been violated by a non-Antidote Application, contact the FTC and file a complaint at: https://reportfraud.ftc.gov/#/assistant. The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), enforces federal civil rights laws, conscience and religious freedom laws, the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules, and the Patient Safety Act and Rule, which together protect your fundamental rights of nondiscrimination, conscience, religious freedom, and health information privacy at covered entities.

If you believe that a HIPAA-covered entity or its business associate violated your (or someone else’s) health information privacy rights or committed another violation of the Privacy, Security, or Breach Notification Rules, you may file a complaint with the Office for Civil Rights (OCR). OCR can investigate complaints against covered entities (health plans, health care clearinghouses, or health care providers that conduct certain transactions electronically) and their business associates. To learn more about filing a complaint with OCR under HIPAA, visit: https://www.hhs.gov/hipaa/filing-a-complaint/index.html. Individuals can file a complaint with OCR using the OCR complaint portal: https://ocrportal.hhs.gov/ocr/smartscreen/main.jsf. Individuals can file a complaint with the FTC using the FTC complaint assistant: https://reportfraud.ftc.gov/#/assistant.

FAQ:

Member revokes access: A member may revoke access to your application. When you encounter an invalid token indicating a member has revoked access, you should make a reasonable attempt to handle that case, making it easy for the member to understand what is happening with their data. 

Contact us:

Inquire about access to Antidote Health Patient Access, Provider Directory, or Payer to Payer Data Exchange APIs as part of the Interoperability and Patient Access final rule (CMS-9115-F) from the Centers for Medicare & Medicaid Services, please send an email with your contact information to interoperability@antidotehealth.com.

© 2024 Antidote Health Group, Inc. All rights reserved.

Technical Interoperability Guidelines

Please read the following carefully to understand our views and practices regarding the privacy of your data

Antidote Health Interoperability Overview

Antidote Health's Interoperability APIs are developer-friendly, FHIR-based APIs that enable third-party applications and vendors to connect their applications to Antidote Health patient and provider information.

Interoperability APIs enable Antidote Health members to consent to share their data with a third-party application of their choosing. These APIs also enable third-party application owners to connect to provider and pharmacy directories or publicly available data.

API Technology and Functionality

Authorization / Authentication

To use the Antidote Health interoperability APIs, a developer must register their application or portal through emailing the Interoperability group interoperability@antidotehealth.com. During this process, you will be required to complete a questionnaire about the purpose of your application's purpose and business details.

Once registered, an application and point of contact are given a client ID and a client secret. The secret should only be used if it can be kept confidential, such as communication between your server and the Antidote Health interoperability APIs.  

Supported Implementation Guides:

Antidote Health supports the following implementation guides:

Production Access:

Production applications with a need to access Public APIs (formulary, provider directory, and pharmacy directory) will still require registration but will be automatically approved. Production application requests for Patient Access APIs will require review from our security and compliance team prior to approving access. Our security and compliance team will reach out with any questions during this review process.

Authorization server URL documentations are shared after successful organization registration and approval.

For production application requests, please send an email with your contact information to: interoperability@antidotehealth.com.

App Privacy:

Selecting an App and Safeguarding Personal Information

As with any interaction over the internet, these tremendous benefits are not without some level of risk. Antidote takes your privacy and the security of your health information as seriously as you do. Antidote safeguards your data throughout the process of sharing it in several ways, including using challenge questions and multi-factor authentication to confirm you - and no one else - can access and share your data. It is important to understand that once your data is shared with a 3rd party application, Antidote is no longer responsible for the security of that data. This is why it is important to read the privacy and security policies for any application you choose to share your data with, to ensure you understand how it is protected and used by that specific, non-Antidote application. When selecting a third-party application, carefully review the application’s privacy practices, including the application’s data sharing policies and whether the application uses challenge questions and multi-factor authentication to confirm your identity.

As a health plan, Antidote is a Covered Entity as defined by Health and Human Services and must protect your information under HIPAA. Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards. Many organizations that have health information about you do not have to follow these laws.

Non-Antidote applications are not always considered as a part of Covered Entities and may not be subject to HIPAA. However, the FTC enforces the Health Breach Notification Rule, that requires certain organizations and Apps not covered by HIPAA to notify their customers, the FTC, and, in some cases, the media, if there’s a breach of unsecured, individually identifiable health information. The FTC has made it clear that makers of health apps, connected devices, and similar products must comply with the Rule. The U.S. Department of Health and Human Services (HHS) OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, and the Patient Safety Act and Rule. You can find more information about patient rights under HIPAA and who is obligated to follow HIPAA here:

Reporting Identity Theft and Fraud

If you believe a non-Antidote application that you've shared your data with is misusing that information in violation of their stated privacy policy, contact the Federal Trade Commission to investigate the matter by going to ReportFraud.ftc.gov or calling 877-382-4357.  If you believe the privacy of your health care data has been violated by a non-Antidote Application, contact the FTC and file a complaint at: https://reportfraud.ftc.gov/#/assistant. The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), enforces federal civil rights laws, conscience and religious freedom laws, the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules, and the Patient Safety Act and Rule, which together protect your fundamental rights of nondiscrimination, conscience, religious freedom, and health information privacy at covered entities.

If you believe that a HIPAA-covered entity or its business associate violated your (or someone else’s) health information privacy rights or committed another violation of the Privacy, Security, or Breach Notification Rules, you may file a complaint with the Office for Civil Rights (OCR). OCR can investigate complaints against covered entities (health plans, health care clearinghouses, or health care providers that conduct certain transactions electronically) and their business associates. To learn more about filing a complaint with OCR under HIPAA, visit: https://www.hhs.gov/hipaa/filing-a-complaint/index.html. Individuals can file a complaint with OCR using the OCR complaint portal: https://ocrportal.hhs.gov/ocr/smartscreen/main.jsf. Individuals can file a complaint with the FTC using the FTC complaint assistant: https://reportfraud.ftc.gov/#/assistant.

FAQ:

Member revokes access: A member may revoke access to your application. When you encounter an invalid token indicating a member has revoked access, you should make a reasonable attempt to handle that case, making it easy for the member to understand what is happening with their data. 

Contact us:

Inquire about access to Antidote Health Patient Access, Provider Directory, or Payer to Payer Data Exchange APIs as part of the Interoperability and Patient Access final rule (CMS-9115-F) from the Centers for Medicare & Medicaid Services, please send an email with your contact information to interoperability@antidotehealth.com.

Antidote Health Interoperability Overview

Antidote Health's Interoperability APIs are developer-friendly, FHIR-based APIs that enable third-party applications and vendors to connect their applications to Antidote Health patient and provider information.

Interoperability APIs enable Antidote Health members to consent to share their data with a third-party application of their choosing. These APIs also enable third-party application owners to connect to provider and pharmacy directories or publicly available data.

API Technology and Functionality

Authorization / Authentication

To use the Antidote Health interoperability APIs, a developer must register their application or portal through emailing the Interoperability group interoperability@antidotehealth.com. During this process, you will be required to complete a questionnaire about the purpose of your application's purpose and business details.

Once registered, an application and point of contact are given a client ID and a client secret. The secret should only be used if it can be kept confidential, such as communication between your server and the Antidote Health interoperability APIs.  

Supported Implementation Guides:

Antidote Health supports the following implementation guides:

Production Access:

Production applications with a need to access Public APIs (formulary, provider directory, and pharmacy directory) will still require registration but will be automatically approved. Production application requests for Patient Access APIs will require review from our security and compliance team prior to approving access. Our security and compliance team will reach out with any questions during this review process.

Authorization server URL documentations are shared after successful organization registration and approval.

For production application requests, please send an email with your contact information to: interoperability@antidotehealth.com.

App Privacy:

Selecting an App and Safeguarding Personal Information

As with any interaction over the internet, these tremendous benefits are not without some level of risk. Antidote takes your privacy and the security of your health information as seriously as you do. Antidote safeguards your data throughout the process of sharing it in several ways, including using challenge questions and multi-factor authentication to confirm you - and no one else - can access and share your data. It is important to understand that once your data is shared with a 3rd party application, Antidote is no longer responsible for the security of that data. This is why it is important to read the privacy and security policies for any application you choose to share your data with, to ensure you understand how it is protected and used by that specific, non-Antidote application. When selecting a third-party application, carefully review the application’s privacy practices, including the application’s data sharing policies and whether the application uses challenge questions and multi-factor authentication to confirm your identity.

As a health plan, Antidote is a Covered Entity as defined by Health and Human Services and must protect your information under HIPAA. Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards. Many organizations that have health information about you do not have to follow these laws.

Non-Antidote applications are not always considered as a part of Covered Entities and may not be subject to HIPAA. However, the FTC enforces the Health Breach Notification Rule, that requires certain organizations and Apps not covered by HIPAA to notify their customers, the FTC, and, in some cases, the media, if there’s a breach of unsecured, individually identifiable health information. The FTC has made it clear that makers of health apps, connected devices, and similar products must comply with the Rule. The U.S. Department of Health and Human Services (HHS) OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, and the Patient Safety Act and Rule. You can find more information about patient rights under HIPAA and who is obligated to follow HIPAA here:

Reporting Identity Theft and Fraud

If you believe a non-Antidote application that you've shared your data with is misusing that information in violation of their stated privacy policy, contact the Federal Trade Commission to investigate the matter by going to ReportFraud.ftc.gov or calling 877-382-4357.  If you believe the privacy of your health care data has been violated by a non-Antidote Application, contact the FTC and file a complaint at: https://reportfraud.ftc.gov/#/assistant. The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), enforces federal civil rights laws, conscience and religious freedom laws, the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules, and the Patient Safety Act and Rule, which together protect your fundamental rights of nondiscrimination, conscience, religious freedom, and health information privacy at covered entities.

If you believe that a HIPAA-covered entity or its business associate violated your (or someone else’s) health information privacy rights or committed another violation of the Privacy, Security, or Breach Notification Rules, you may file a complaint with the Office for Civil Rights (OCR). OCR can investigate complaints against covered entities (health plans, health care clearinghouses, or health care providers that conduct certain transactions electronically) and their business associates. To learn more about filing a complaint with OCR under HIPAA, visit: https://www.hhs.gov/hipaa/filing-a-complaint/index.html. Individuals can file a complaint with OCR using the OCR complaint portal: https://ocrportal.hhs.gov/ocr/smartscreen/main.jsf. Individuals can file a complaint with the FTC using the FTC complaint assistant: https://reportfraud.ftc.gov/#/assistant.

FAQ:

Member revokes access: A member may revoke access to your application. When you encounter an invalid token indicating a member has revoked access, you should make a reasonable attempt to handle that case, making it easy for the member to understand what is happening with their data. 

Contact us:

Inquire about access to Antidote Health Patient Access, Provider Directory, or Payer to Payer Data Exchange APIs as part of the Interoperability and Patient Access final rule (CMS-9115-F) from the Centers for Medicare & Medicaid Services, please send an email with your contact information to interoperability@antidotehealth.com.

Insurance Disclaimer: Antidote is not an insurer and does not provide insurance products. This service is not a substitute for comprehensive health care insurance coverage. If you desire any type of health insurance, you must purchase such insurance separately, from licensed insurance companies.