Last updated: 8/19/21
If you’ve found yourself on this page, it’s because you’re interested in using software that helps millions of Medicare beneficiaries in the United States. Thank you.
Please read our Application Programming Interface (API) Terms of Service carefully and post any questions you may have to the Google Group.
By accessing or using Centers for Medicare & Medicaid Services (CMS) Data at the Point of Care APIs and related services (collectively, DPC), you are agreeing to the terms below, as well as any relevant sections of CMS’s Privacy Policies (collectively, Terms).
Data Rights and Usage
By using DPC on behalf of a “covered entity” or “business associate”, as those terms are defined in 45 C.F.R. § 160.103, you represent and warrant that you have authority to bind that covered entity or business associate to the Terms, and by accepting the Terms, you are doing so on behalf of that covered entity or business associate (and all references to “you” in the Terms refer to you and that covered entity or business associate). Click here if you would like more information on the application of HIPAA at CMS.
In order to access DPC, you may be required to provide certain information (such as identification or contact details) as part of the registration process for DPC, or as part of your continued use of DPC. Any registration information you give to CMS must be accurate and up-to-date, and you must inform CMS promptly of any updates so that we can keep you informed of any changes to DPC or the Terms which may impact your usage of DPC.
Sandbox or production credentials (such as passwords, keys, tokens, and client IDs) issued to you by CMS for DPC are intended to be used only by you and to identify any software which you are using with DPC. You agree to keep your credentials confidential and make reasonable efforts to prevent and discourage other persons or entities from accessing or using your credentials. Credentials may not be embedded in open source projects.
You may only access (or attempt to access) DPC by the means described in the DPC documentation. If CMS assigns you production credentials, you may only use those production credentials to access the DPC, and you may only access the DPC using an application that has been reviewed and approved by CMS in response to your request. CMS may revoke your credentials if you use (or attempt to use them) with another application that has not been reviewed and approved by CMS.
Activities and Purposes
You may use DPC to develop or operate a service to notify, search, display, analyze, retrieve, view, and otherwise obtain certain information or data from CMS in accordance with applicable federal and state privacy and security laws and these Terms, specifically: (i) synthetic data; or (ii) Medicare Part A, Part B, and Part D raw historical claims data.
Information or data regarding Medicare beneficiaries from CMS available through DPC is subject to the Privacy Act of 1974 (Privacy Act), the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other laws. You must comply with all applicable federal and state laws regarding the privacy and security of information obtained through DPC.
When records regarding an individual are obtained through DPC, you may not disclose any information or data regarding the individual to any other individuals or third parties without specific, explicit consent from the individual or his or her authorized representative or as part of an approved exception. The terms “individual” and “record” have the meanings specified in the Privacy Act at 5 U.S.C. § 552a(a). Click here if you would like more information about the application of the Privacy Act at CMS.
Furthermore, data can only be requested through DPC by a covered entity, or a business associate on behalf of a covered entity, for treatment purposes in accordance with 45 C.F.R. § 164.506.
By accepting these Terms, you attest to the following:
- You are either:
- A HIPAA Covered Entity, as defined in 45 C.F.R. § 160.103
- A HIPAA Business Associate, as defined in 45 C.F.R. § 160.103
- You are seeking protected health information (PHI), as defined in 45 C.F.R. § 160.103, for either:
- Your own use
- On behalf of a HIPAA Covered Entity and for which you are a Business Associate
- You intend to take the data requested herein into your designated record set and only use the data requested herein for a permissible purpose under HIPAA
A business associate/subcontractor is directly liable under the HIPAA Rules and subject to civil and, in some cases, criminal penalties for making uses and disclosures of PHI that are not authorized by its contract or required by law. A business associate submitting API transactions and receiving data on behalf of a HIPAA covered entity:
- The business associate must not use DPC except as an authorized agent of the covered entity.
- The business associate must be able to associate each inquiry with the covered entity for each API call (request). That is, for each inquiry a business associate makes, that business associate must be able to identify the covered entity making the request for each beneficiary’s information and be able to assure that responses are routed only to the originator of each request.
HIPAA does not require expiration dates on business associate agreements; it is valid as long as the agreement is in effect (or a regulatory rule change occurs). It is the responsibility of the covered entity to notify DPC at the termination of the business associate agreement.
When using content, data, documentation, code, or related materials associated with DPC in your own work, proper credit must be given. All services that utilize or access DPC must display the following notice prominently within the application:
“This product uses the Data at the Point of Care API but is not endorsed or certified by the Centers for Medicare & Medicaid Services or the U.S. Department of Health and Human Services.”
You may use CMS’s name or logo in order to identify the source of API content subject to these Terms. You may not use the CMS name, logo, or the like to imply endorsement of any product, service, or entity, not-for-profit, commercial, or otherwise.
Right to Limit
Your use of DPC is subject to certain limitations on access, calls (requests), or use as set forth within these Terms or otherwise provided by CMS. These limitations are designed to manage the load on the system, promote equitable access, and prevent abuse, and these limitations may be adjusted without notice, as deemed necessary by CMS. If CMS reasonably believes that you have attempted to exceed or circumvent these limits, your ability to use DPC may be temporarily or permanently blocked. CMS may monitor your use of DPC for example, to improve the service or to ensure compliance with these Terms.
If you wish to terminate your agreement with these Terms, you may do so by refraining from further use of DPC. CMS reserves the right (though not the obligation) to: (1) refuse to provide DPC to you, if CMS determines that your use violates any CMS policy, including these Terms; or (2) terminate or deny you access to and use of all or part of DPC at any time for any other reason which in its sole discretion it deems necessary in order to prevent abuse. You may petition CMS to regain access to DPC through the support email address provided by CMS for DPC. If CMS determines in its sole discretion that the circumstances which led to the refusal to provide DPC or terminate access to DPC no longer exist, then CMS may restore your access. All provisions of these Terms shall survive termination, including, without limitation, warranty disclaimers and limitations of liability.
Appropriate administrative, physical, and technical safeguards must be applied to ensure the confidentiality, integrity, and security of PHI. Standards are specified in 45 C.F.R. Part 160 and Subparts A and C of Part 164.
You agree to cooperate with CMS or its agents in the event that CMS has a security concern with respect to any inquiry, submission, or receipt of information to or from CMS.
At the time of registration and each time the software submits, requests, or retrieves information from DPC, you are attesting, subject to validation by CMS, that the software and its associated IT systems meet one or more of these security requirements:
- Office of the National Coordinator for Health Information Technology (ONC) Health IT Certification
- Active Health Information Trust Alliance (HITRUST) CSF Validated Assessment
- Active HITRUST self-validation assessment (valid for one year from date of first implementation if currently pursuing the HITRUST validated assessment)
- Electronic Healthcare Network Accreditation Commission (EHNAC) Accreditation
- Accountable Care Organization Accreditation Program (ACOAP)
- Data Registry Accreditation Program (DRAP)
- DirectTrust Privacy & Security (DT P&S)
- EHNAC Privacy & Security (EHNAC P&S)
- Financial Services Accreditation Program for Electronic Health Networks (FSAP-EHN)
- Financial Services Accreditation Program for Lockbox Services (FSAP-Lockbox)
- Health Information Exchange Accreditation Program (HIEAP)
- Healthcare Network Accreditation Program for Medical Billers (HNAP-Medical Biller)
- Healthcare Network Accreditation Program- Third party administrator (HNAP-TPA)
- Management Service Organization Accreditation Program (MSOAP)
- Outsourced Services Accreditation Program (OSAP)
- Practice Management System Accreditation Program (PMSAP)
- Trusted Dynamic Registration & Authentication (TDRAAP) Comprehensive
- Trusted Network Accreditation Program - Participant/Participant Member (TNAP - Participant/Member)
- Trusted Network Accreditation Program (TNAP - QHIN)
- System and Organization Controls (SOC) 2 certified
- Type 1certified (valid for one year from date of first implementation if currently pursuing type 2)
- Type 2 certified
- International Organization for Standardization (ISO): 27001, 27017, or 27018 certified
Disclaimer of Warranties
The DPC platform is provided “as-is” and on an “as-available” basis. While we will do our best to ensure the service is available and functional at all times, CMS hereby disclaims all warranties of any kind, express or implied, including, without limitation, the warranties of merchantability, fitness for a particular purpose, and non-infringement. CMS makes no warranty that data will be error-free or that access thereto will be continuous or uninterrupted.
Limitations on Liability
In no event will CMS or the U.S. Department of Health and Human Services (HHS) be liable with respect to any subject matter of these Terms under any contract, negligence, strict liability, or other legal or equitable theory for: (1) any special, incidental, or consequential damages; (2) the cost of procurement of substitute products or services; or (3) for interruption of use or loss or corruption of data.
Disputes, Choice of Law, Venue, and Conflicts
Any disputes arising out of these Terms and access to or use of the DPC shall be governed by the laws and common law of the United States of America, including, without limitation, such regulations as may be promulgated from time to time by CMS, HHS, or any of its constituent agencies, without regard to any conflict of laws statutes or rules. You further agree and consent to the jurisdiction of the Federal Courts located within the District of Columbia and the courts of appeal therefrom, and waive any claim of lack of jurisdiction or forum non conveniens.
You agree to indemnify and hold harmless HHS, including CMS, its contractors, employees, agents, and the like, from and against any and all claims and expenses, including attorney’s fees, arising out of your use of the DPC, including, but not limited to, violation of these Terms.
No Waiver of Rights
CMS’s failure to exercise or enforce any right or provision of these Terms shall not constitute waiver of such right or provision.