Product Guide

Accessing the ZAP

Suggest Edits

Permitted Use

Under HIPAA, the use and disclosure of protected health information (PHI) is permitted for activities related to Treatment, Payment, and Healthcare Operations (TPO).

While HIPAA permits the use and disclosure of PHI for TPO activities, the health data exchanges that Zus partners with may put in place additional requirements to access patient data, such as treatment purpose of use or presence of a prescribing provider.

To use the Zus platform, your organization must also agree to Zus’ Builder Terms of Service and have Zus’s sales and legal teams review and approve your use case.

Asserting a Relationship with a Patient

Zus customers can indicate they have an active relationship for TPO purposes (i.e., the Authorized Activities) with a given patient using the FHIR Patient.active field. When it is set to “true”, your organization can access the patient’s Zus Aggregated Profile (ZAP), including third-party data and data contributed by other covered entities on Zus serving this patient.

This field can be set to “true” in the following ways:

  1. When you make a patient history API request or enroll a patient in a subscription, you are required to assert that you have a treatment consent for that patient. Zus treats this assertion as evidence of an active patient relationship and automatically sets the field to “true” on your behalf
  2. If you sync data to Zus from your EHR, that integration may be setting this field to “true”
  3. You can set it directly for a given patient

When this field is set to “false”, you can still access your own data on a patient, but the data contributed by third-party networks or other builders on Zus will no longer be visible.

Active patient example:

{
    "resourceType": "Patient",
    "active": true,
    "name": [
        {
            "family": "Smith",
            "given": [
              	"Mike"
            ]
        }
  	],
...
}

Updated 6 days ago