Available Permissions

Permissions and Features

The ORCA API offers three types of permissions for Service Apps:

  • Inbox Access

  • Patient Access

  • Calendar Access

Inbox Access

This permission gives the Service App access to add and update items in the user’s inbox. The inbox contains a list of notifications and action items for the user, such as reminders, pending tasks, and completed tasks. While there are no additional requirements for this permission, the app must not spam a user's inbox with publicity or display private information about a patient's health in the inbox.

Patient Access

This permission grants the Service App access to add, update, and soft delete patient resources. As the app will gain access to protected health information (PHI), there are strict requirements for obtaining this permission in order to protect patient privacy and prevent data breaches, such as submitting a Business Verification form and undergoing HIPAA Compliance training. In addition, the app must not sell or offer patient information to another entity nor disclose patient information at any point.

Calendar

This permission provides the Service App with the ability to add, update, and soft delete appointments on a user’s calendar. As a user's calendar is primarily used for reminders, there are no additional requirements nor restrictions for this permission.

Last updated