Accessing the ZAP

Permitted Use

Under HIPAA, the use and disclosure of protected health information (PHI) is permitted for activities related to Treatment, Payment, and Healthcare Operations (TPO).

While HIPAA permits the use and disclosure of PHI for TPO activities, the health data exchanges that Zus partners with may put in place additional requirements to access patient data, such as treatment purpose of use or presence of a prescribing provider.

To use the Zus platform, your organization must also agree to Zus’ Builder Terms of Service and have Zus’s sales and legal teams review and sign off on your use case.

Confirming Relationship with Patient

Zus customers can indicate they have an active relationship for TPO purposes (i.e., the Authorized Activities) with a given patient using the FHIR field. When it is set to “true”, your organization can access the patient’s Zus Aggregated Profile (ZAP), including third-party data and data contributed by other covered entities on Zus serving this patient.

This field can be set to “true” in the following ways:

  1. When you make a patient history API request or enroll a patient in a subscription, you are required to assert that you have a treatment consent for that patient. Zus treats this assertion as evidence of an active patient relationship and automatically sets the field to “true” on your behalf
  2. If you sync data to Zus from your EHR, that integration may be setting this field to “true”
  3. You can set it directly for a given patient

When this field is set to “false”, you can still access your own data on a patient, but the data contributed by third-party networks or other builders on Zus will no longer be visible.

Active patient example:

    "resourceType": "Patient",
    "active": true,
    "name": [
            "family": "Smith",
            "given": [

For more information about Patient Consent, please read our FAQs.

Accessing the ZAP via API

You can access the ZAP by making patient-centric API calls to Zus for one patient at a time, using the Universal Patient Identifier (UPID) to identify the patient. The UPID links together different patient resources across all Builders and sources that Zus’s Universal Patient Index determined represent the same person. You can access Designated Record Set resources associated with all patient resources with the same UPID as the patient resource you created. You can find the UPID on your patient resource in the "identifier" property:

UPID Identifier example:

"identifier": [
        "system": "",
        "value": "<UPID>"

These query types will return all available data for the given UPID, including your own data, shared data generated by others on Zus treating that patient, data from third party networks, and Zus-generated summaries. The following diagram summarizes this capability: