There are six different levels of API access available to project teams. Each tier has specific access requirements, screening questions and best practices.

Note that the Clinical Systems Office of Project Portfolio Management (CS OPPM) reviews and approves projects for integration with APeX, UCSF's live instance of Epic. The dD&T committee's role is to provide governance for the UCSF Sandbox and adequately prepare project teams who wish to integrate with APeX.

Tier 1: Patient-Directed API Access via MyChart

Access to read-only APIs, authenticated via MyChart by patients and enabled for patient-directed uses.

Tier 2: Sandbox Read-only

Access to read-only enterprise-facing APIs exposed by the Sandbox, replicating EHR but without protected health information (PHI). Used for education, experimentation, development, and testing.

Tier 3: Sandbox Read/Write

Access to read and write enterprise-facing APIs exposed by the Sandbox, replicating EHR but without protected health information. Used for education, experimentation, development, and testing.

This tier is distinct from Tier 2 read-only because the Sandbox infrastructure is shared with other developers, and thus writing to it can impact other users and UCSF.

Tier 4: EHR Read-only for testing and development

Access to read-only enterprise-facing APIs exposed by the EHR, including access to protected health information. Used for development and technical testing but without any testing or use in actual patient care.

Tier 5: EHR Read-only for use in care delivery

Access to read-only enterprise-facing APIs exposed by the EHR, including access to protected health information, including testing or clinical use with patients.

Tier 6: EHR Read & Write API access

Access to read and write enterprise-facing APIs exposed by the EHR, including writing to the medical records of patients.