As CMS continues to gather feedback from users on the Data at the Point of Care (DPC) pilot, we will likely add more FAQs to this page. If you have a question that is not listed below, please reach out through the DPC Google Group.

About DPC:

  • Technical documentation is available in the API Documentation.
  • A DPC Google Group has been created to provide answers to questions and to support providers and developers who are implementing Data at the Point of Care.

  • Blue Button 2.0 provides FHIR-formatted data for one individual Medicare beneficiary at a time, to registered applications with beneficiary authorization. See
  • BCDA provides FHIR-formatted bulk data files to Medicare Shared Savings Program Accountable Care Organizations (MSSP ACOs) for all of the beneficiaries assigned to a given ACO. See
  • Data at the Point of Care provides FHIR-formatted bulk data files to fee-for-service providers for their active patients as needed for treatment purposes under HIPAA. With DPC, providers identify their own rosters of patients to track, and no action is required from the beneficiary to authorize sharing of data. Data is shared between covered entities for treatment purposes as defined under HIPAA.

  • Usefulness of the data to evaluate how helpful CMS claims data is for impacting treatment, provider burden, and quality of care for Fee-for-Service (FFS) providers at the point of care
  • Ease of implementation for vendors and providers to evaluate how easy it is to configure and get started with requesting and receiving claims data
  • Practicality and effectiveness of attribution logic that determines which providers can request and receive claims data for which patients and for how long
  • Ease and effectiveness of ways that vendors and providers can collaborate to access the data
  • Measure of the frequency of use and an evaluation of performance in different use cases to determine infrastructure decisions
  • Any other feedback, additions, or changes

  • Data at the Point of Care secures Protected Health Information (PHI) and Personally Identifiable Information (PII) and has multiple layers of protection, such as encryption in transit and at rest, security certification requirements of connecting vendors, auditing and analytics to look for suspicious activity, terms of service restrictions, public and private security keys, and IP address restriction.
  • Data at the Point of Care is built based on privacy requirements defined by HIPAA.

There is no cost for the data.

About Sandbox:

  • Fee-for-Service (FFS) providers who treat Medicare patients
  • Providers who already receive claims from other payers and who have successfully integrated the information into existing clinical workflows
  • Providers who have experience using Blue Button 2.0 or the Beneficiary Claims Data API project
  • Providers who already use or test with FHIR, especially Bulk FHIR

  • Any Fee-for-Service provider or Health IT vendor can request access to synthetic data via our sandbox

About Production Pilot:

We're excited to invite you to apply to be a production pilot participant! You can email DPC to be added to the queue for production access.

DPC is looking for healthcare organizations who meet the following criteria:
  1. You can answer questions about your healthcare organization, including but not limited to EHR and/or data vendor information, number of providers, provider specialties, and/or number of Medicare beneficiaries seen annually
  2. You can provide documentation explaining the workflows implemented in your DPC solution for attribution and the clinical display of data. This can be satisfied with workflow diagrams or written procedures.
    1. Attribution (what is your system/user's selection criteria in identifying the patients to be included in requests for data, how do you determine if a patient has an active treatment relationship with the assigned provider, etc.)
    2. Data Security processes (who makes the requests, how is that process protected, etc)
  3. You can attest that your software solution meets the security requirements for DPC, specifically one or more of the following requirements:
    1. Completed and holds an active ONC Health IT Certification
    2. Active HITRUST self-validation assessment (valid for one year from implementation if currently pursuing the HITRUST validated assessment)
    3. Active HITRUST Validated Assessment
    4. EHNAC Accreditation
  4. You can answer questions regarding your experience testing your solution in sandbox
  5. You can demonstrate your DPC solution to the DPC engineering and research team

Here's a list of starter questions to help guide your plan for the demo. As we see your solution, additional technical questions may arise.
  1. Walk us through your end-to-end workflow.
    1. How do you attribute patients to practitioners?
    2. How will practitioner see the data in your system?
  2. How frequently will your organization make requests to the API? How quickly will you need the data returned?
  3. What is your retry logic for requests that fail?
  4. What will you do if you don't get data back for some of the requested patients? For example, data for patients outside of the 18 month lookback period for a given provider will not be returned at this time.
  5. How will the data be used? For example, are you using the data for aggregate population reporting, or for insights into the needs of an individual patient?
  6. Where does the application live?
    1. Would there be a separate instance if you bring on another practice during pilot or MVP?
  7. During onboarding in the early phases of pilot, we'll be providing keys directly to the practitioner organization to grant access to production via secure email - we will not be using the same web portal as our sandbox environment. Please consider how to best communicate with the practitioner to securely transfer secrets if necessary.
  8. Are you ready for breaking changes during pilot?
    1. As we introduce new features into pilot, how will you incorporate those changes into your solution?
  9. How did you test your DPC solution? What documentation did you use the most?

Our goal with the production pilot is not to grant early access to DPC production data, but rather to test specific technical and workflow solutions in a production environment with actual users. The pilot phase of DPC is a learning experience for CMS as well as for our partner organizations, which means that we will make breaking changes to the code while organizations are working in production, and will be looking for feedback from our pilot participants to help us grow. A few limitations for you to know up front:
  • Claims data access may be limited by the number of claims or the number of beneficiaries requested or returned during the pilot.
  • New patient information will not be immediately available. At this time only patients with a claim within the last 18 months for the attributed provider will be accessible.
  • DPC is not a final product yet. As we continue to gather feedback and do research, it is possible that significant changes may be made to the DPC API - participation in this pilot is a great opportunity to help influence the future direction of the API! We will communicate these changes to all of our production and sandbox community members as they come about, but we may identify the need to temporarily shut down production data access between now and our full release as part of our continued development efforts.

DPC will onboard one organization at a time. Depending on the backlog of organizations, this may mean that your organization will sit in the queue for a few months before it is your turn to onboard. We will keep you updated as much as we can and ask that you continue to test your solution in the sandbox during that time as any changes to the production environment will be changed in the sandbox environment first.

Good news: our sandbox environment matches the production environment, and we'll roll out new functionality in sandbox before sending it into production. Even if you are not able to participate in the production pilot at this juncture, please continue to test in the sandbox environment with synthetic data. Your feedback through the Google Group is invaluable to our researchers and engineers as we all work together to shape the future of DPC.

Yes, you can inherit AWS’ HITRUST certification if your DPC solution meets the following requirements:
  1. The DPC solution is contained entirely within AWS Services that have received a HITRUST certification. See AWS' list of HITRUST-certified services under HITRUST CSF.
  2. The DPC solution applies the controls listed on the HITRUST website. You should download the AWS Custom HITRUST Shared Responsibility Matrix to determine which HITRUST controls AWS customers can inherit as part of the Shared Responsibility Model.
  3. You submit a valid and accepted External Inheritance request through the HITRUST website. Follow the instructions in the User Guide to do so.