UnitedHealthcare / Optum Patient Access APIs Hero
Mark Lorenz


In this post:

  • Patient access workflow screenshots.
  • Commentary on how UnitedHealthcare / Optum implemented their patient access APIs.
  • Years of failure and rejection.

Usually, at that point, people just say goodbye and leave because it’s so horrible

Every night for years Katalin Karikó worked on grants to fund her research in genetics and protein synthesis. Always those grants were rejected. No one believed. Her colleagues thought her ideas were so hopeless that in 1995 she was demoted[1] and the university stopped supporting her work[2]. Usually, at that point people just say "goodbye" and leave because it's so horrible. But, Karikó didn't leave- she was committed to figuring out how to make the human body synthesize new proteins.

Your body is made of proteins, but it starts with DNA. DNA is like a long zipper. In a process called "transcription", a section of DNA is unzipped and one side of the zipper is copied. This half-zipper-section-copy is then read in like computer code by a organelle called a ribosome. The ribosome uses the instructions in the half-zipper-section-copy to assemble a soup of amino acids[3] into a protein chain that will go on to become hair, finger nails, muscle, skin, anything organic. These half-zipper-section-copies are called "mRNA".

Karikó believed that she could add artificial mRNA into an animal's body and that its ribosomes would dutifully use it to synthesis proteins… any protein she wanted[4]. The problem is that decades of failure had proven, the body reacts to foreign mRNA the same way it reacts to any foreign compound- by mounting an immune response and destroying it. Sometimes this immune response is so strong that it kills the animal it's trying to protect.

But the body does not destroy it's own mRNA. If Karikó could fix this small problem, she'd make a scientific advancement that could save millions of lives.

UnitedHealthcare / Optum

UnitedHealthcare (which I always want to misspell as United Healthcare), a subdivision of UnitedHealth Group (aka UHG), is a giant of the health insurance industry. In 2018 they were the largest insurance company; holding 14.2% market share and $157 million in direct written premiums[5]. Optum, another subdivision of UHG, is itself a collection of three other businesses (OptumHealth, OptumInsight, and OptumRx)[6]. Due to the highly "captive" nature of UHG's subdivisions they all play a role in supporting the corporation's patient access APIs mandated for 2021 by CMS 9115-F. For the sake of brevity, I will just refer to any and all of these business groups as "United".

What United got right

  • They are building in public! For a company of United's size, this is really surprising. Each time I go through the developer sandbox it's a little better.
  • The patient access API documentation is publicly available and good, though it does have a few mistakes. I got a laugh out of the documentation URL: uhc.com/legal/interoperability. Normally you'd find docs under a URL like developers.uhc.com or uhc.com/developers, so maybe these docs are for the lawyers, not the developers? 🙃
  • Good developer support. They respond to emails quickly and are knowledgable.

The authorization workflow

There's a fair amount of things for the user/patient/member to click through. This is all allowed (and encouraged) by CMS. The workflow looks like this:

UnitedHealthcare patient access authorization workflow

What you need to know about authorizing

1. Similar to Aetna's patient access APIs, United did silly things with the redirect_uri parameter of the /authorize request. It's required, and it must match what's configured in the developer portal. I wish they'd pick one: either honor the request or use what's in the portal.

2. The documentation says that you'll get a (non-refreshable) refresh token that's valid for 3 months after authorization- but in the sandbox, no refresh tokens are issued. The user/member/patient is also shown that the token lasts for 3 months, so hopefully this is just United building in public.

3. United is big, and supports many lines of business, so you'll need to know the name of the patient's specific plan (e.g. Rocky Mountain, People's Health) because they each have their own subdomain (e.g. rmhp.authz.flex.optum.com, healthx.authz.flex.optum.com). I think Aetna did a better job here- "branding" parameters were available but are not required.

4. The documentation states that the code_challenge should be a base64 encoded, sha256 hash, of an ASCII string:

code_verifier = random, non-guessable code
code_challenge = BASE64URL-ENCODE(SHA256(ASCII(codeverifier)))

This is not exactly true either. The first step is not ASCII encoding, but rather the hexidecimal representation of a "ASCII encodable" string. This is a little too technical to explain here, but it's like explaining how you'd say something in French versus actually speaking French. It's weird and also not the way the oauth.com reference implementation does it.

5. Finally, even though United will give you a production API key, their production APIs are not live. Requesting authorization will return an error. While the CMS rule is in effect now, it's not being enforced until 1-July-2020, so United has some time.

Getting an Explanation of Benefits (EOB) from United's patient access APIs

The contents of the EOB look good, but there's another mismatch between documentation and reality. The docs say patient=[id] is a required parameter, but it's not- supplying the bearer token is sufficient.

Wrapping up

It's exciting to see United building in public. Hopefully they smooth over some of the weird stuff in their OAuth implementation and clean up their docs. If they can fix these small problems, it'll be a great advancement.

The small detail that changes everything

“Oh, it works,” she said. “I thought so.”

Karikó stared to wonder how her mRNA was different than the body's homemade mRNA[7]. The answer came from what is usually the small, boring part of an experiment: the control.

One of the control samples for her experiments was another type of RNA. tRNA is a shorter bit of RNA that helps the ribosome hang on to the amino acids while constructing a protein. The tRNA wasn't creating the same immune over-response, why? The tRNA had something her mRNA didn't… it was attached to another molecule called "pseudouridine". It turned out that human mRNA also has pseudouridine[8].

By adding pseudouridine to her mRNA Karikó was able to turn decades of failure and disappointment into a fundamental science breakthrough. Using this new technology her company BioNTech was able to design the Pfizer COVID-19 vaccine in hours[9]. On 08-Nov-2020 when the results of the Pfizer vaccine trial came back, showing a powerful immune response to the virus, Dr. Karikó turned to her husband: “Oh, it works,” she said. “I thought so.”

It's small improvements in our coding technique, whether with the code of life or the code of an API for patient's to access their information, that can lead to big breakthroughs in our healthcare system.

One Click Retweet

Do you know someone with an Aetna Medicare Advantage plan? Please send them to the HealthSouse home page. We may also be able to save your friend some money.

Still here? Thanks for reading! You seem like a nice person, who should send me an email: mark@healthsouse.com. Encouragement and criticism are both welcome!


[1] www.statnews.com

[2] www.wbur.org

[3] www.nature.com

[4] www.statnews.com

[5] www.beckershospitalreview.com

[6] www.unitedhealthgroup.com

[7] www.nytimes.com

[8] www.nytimes.com

[9] www.nytimes.com