Industry Guide: Healthcare & Medical Records
This guide walks through a complete Docyard setup for a health system distributing medical records and claims documents. Docyard’s four stakeholder classes map to healthcare workflows:
| Docyard Role | Healthcare Persona | Access Pattern |
|---|
| Mortgagee | Payer / Insurance Company | Bulk API for claims data |
| Agent | Referring Provider / Specialist | Portal + bulk download |
| Policyholder | Patient | Self-service portal |
| Auditor | HHS Investigator | Time-boxed read-only |
Step 1: Create a Dock
Create a dock for the health system:
curl -X POST https://api.docyard.io/v1/docks \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "Lakeside Health System",
"domain": "lakesidehealth.org",
"legalName": "Lakeside Health System Inc.",
"businessType": "corporation",
"businessEmail": "[email protected]"
}'
Step 2: Upload Documents
Upload medical records and claims documents:
# Upload an explanation of benefits
curl -X POST https://api.docyard.io/v1/docks/dock_01HQ3K.../artifacts/upload \
-H "Authorization: Bearer YOUR_API_KEY" \
-F "[email protected]"
# Upload lab results
curl -X POST https://api.docyard.io/v1/docks/dock_01HQ3K.../artifacts/upload \
-H "Authorization: Bearer YOUR_API_KEY" \
-F "[email protected]"
curl -X POST https://api.docyard.io/v1/docks/dock_01HQ3K.../artifacts \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"filename": "eob-MBR-2025-44210.pdf",
"metadata": {
"member_id": "MBR-2025-44210",
"document_type": "explanation-of-benefits",
"service_date": "2025-02-10",
"provider_npi": "1234567890"
}
}'
Step 3: Add Recipients (All Four Personas)
Payer / Insurance Company — Bulk API access
curl -X POST https://api.docyard.io/v1/docks/dock_01HQ3K.../recipients \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "Anthem Blue Cross",
"email": "[email protected]",
"stakeholderClass": "mortgagee",
"identifiers": {
"payer_id": "ANTHEM-00112",
"member_id": "MBR-2025-44210"
}
}'
Referring Provider / Specialist — Portal + bulk download
curl -X POST https://api.docyard.io/v1/docks/dock_01HQ3K.../recipients \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "Dr. Lisa Tran — Westside Cardiology",
"email": "[email protected]",
"stakeholderClass": "agent",
"identifiers": {
"npi_number": "1234567890",
"member_id": "MBR-2025-44210"
}
}'
Patient — Single retrieval via portal
curl -X POST https://api.docyard.io/v1/docks/dock_01HQ3K.../recipients \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "Robert Kim",
"email": "[email protected]",
"stakeholderClass": "policyholder",
"identifiers": {
"phone": "+1-312-555-0234",
"date_of_birth": "1975-11-03",
"member_id": "MBR-2025-44210"
}
}'
HHS Investigator — Time-boxed read-only
curl -X POST https://api.docyard.io/v1/docks/dock_01HQ3K.../recipients \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "HHS OIG — Angela Foster",
"email": "[email protected]",
"stakeholderClass": "auditor",
"identifiers": {
"badge_id": "HHS-OIG-2025-0087",
"nda_hash": "sha256:c7d2e9f1a3b5..."
}
}'
Step 4: Create Access Policies
Payer bulk access policy
curl -X POST https://api.docyard.io/v1/docks/dock_01HQ3K.../policies \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "Payer Bulk Claims Access",
"recipe": "{\"stakeholderClass\":\"mortgagee\",\"artifactTypes\":[\"explanation-of-benefits\",\"claim-summary\",\"pre-authorization\"],\"auth\":{\"factors\":[\"shared_passphrase\",\"tls_certificate\"],\"tls\":{\"require_mutual\":true}},\"access\":{\"method\":\"bulk_api\",\"max_batch_size\":5000},\"match\":{\"identifiers\":[\"payer_id\",\"member_id\"]}}"
}'
Provider portal access policy
curl -X POST https://api.docyard.io/v1/docks/dock_01HQ3K.../policies \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "Provider Portal & Download",
"recipe": "{\"stakeholderClass\":\"agent\",\"artifactTypes\":[\"lab-results\",\"imaging-report\",\"referral-letter\",\"discharge-summary\",\"visit-summary\"],\"auth\":{\"factors\":[\"webauthn\"],\"webauthn\":{\"challenge_type\":\"platform_or_cross_platform\"}},\"access\":{\"method\":[\"portal\",\"bulk_download\"]},\"match\":{\"identifiers\":[\"npi_number\",\"member_id\"]}}"
}'
Patient self-service policy
curl -X POST https://api.docyard.io/v1/docks/dock_01HQ3K.../policies \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "Patient Self-Service Portal",
"recipe": "{\"stakeholderClass\":\"policyholder\",\"artifactTypes\":[\"explanation-of-benefits\",\"lab-results\",\"visit-summary\",\"immunization-record\",\"discharge-summary\"],\"auth\":{\"factors\":[\"sms_otp\"],\"otp\":{\"delivery\":\"sms\",\"code_length\":6,\"ttl_seconds\":300}},\"access\":{\"method\":\"portal\",\"max_concurrent_downloads\":1},\"match\":{\"identifiers\":[\"email\",\"date_of_birth\",\"member_id\"]}}"
}'
HHS investigation audit policy
curl -X POST https://api.docyard.io/v1/docks/dock_01HQ3K.../policies \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "HHS OIG Investigation — 2025",
"recipe": "{\"stakeholderClass\":\"auditor\",\"artifactTypes\":[\"*\"],\"auth\":{\"factors\":[\"badge_id\",\"nda_hash\"],\"nda\":{\"hash_algorithm\":\"sha256\",\"require_match\":true}},\"access\":{\"method\":\"portal\",\"read_only\":true,\"download_enabled\":false},\"match\":{\"identifiers\":[\"badge_id\",\"nda_hash\"]},\"constraints\":{\"time_window\":{\"start\":\"2025-02-01T00:00:00Z\",\"end\":\"2025-04-01T00:00:00Z\"},\"auto_expire\":true}}"
}'
curl -X POST https://api.docyard.io/v1/docks/dock_01HQ3K.../policies/pol_01HQ3P.../publish \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{ "stage": "production" }'
Step 5: Generate Payer Passphrase
The payer’s policy requires a shared passphrase. Generate one:
curl -X POST https://api.docyard.io/v1/recipients/rcp_01HQ3N.../secrets \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "Anthem Blue Cross — Claims API Passphrase",
"expiresInDays": 90
}'
The secret value is returned only once. Securely transmit it to the payer. Docyard stores only the SHA-256 hash and cannot recover the plaintext.
Step 6: Payer Retrieves via Bulk API
The payer creates a bulk retrieval job for claims documents:
curl -X POST https://api.docyard.io/v1/retrieval/jobs \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"dockId": "dock_01HQ3K...",
"recipientId": "rcp_01HQ3N...",
"metadata": { "document_type": "explanation-of-benefits" },
"sinceTimestamp": "2025-01-01T00:00:00.000Z"
}'
curl https://api.docyard.io/v1/retrieval/jobs/job_01HQ3Q.../results \
-H "Authorization: Bearer YOUR_API_KEY"
Compliance Notes: HIPAA
Healthcare document distribution must comply with HIPAA (Health Insurance Portability and Accountability Act):
- Business Associate Agreement (BAA): Any entity accessing PHI through Docyard must have a BAA in place. Docyard can serve as the conduit, but the covered entity is responsible for ensuring BAAs are executed with all recipients (payers, providers).
- Minimum Necessary Rule: Policies should scope artifact types to the minimum necessary for each recipient’s purpose. A payer processing claims needs EOBs and claim summaries — not lab results or imaging reports.
- Patient Right of Access: Under the HIPAA Privacy Rule, patients have the right to access their health records. The patient self-service portal fulfills this requirement with SMS OTP verification.
- Audit trail for investigations: HHS Office of Inspector General (OIG) investigations require access to records within defined time windows. The auditor policy’s time-boxed, read-only, no-download configuration ensures investigators can review without exfiltrating data.
- Breach notification: If a security incident occurs, Docyard’s immutable audit log provides a complete record of who accessed what and when — critical for breach assessment and notification under the HIPAA Breach Notification Rule.
Persona Summary
| Persona | Healthcare Role | Auth Factors | Access Method | Key Identifiers |
|---|
| Mortgagee | Payer / Insurance Co. | Passphrase + mTLS | Bulk API (batch 5,000) | payer_id, member_id |
| Agent | Provider / Specialist | WebAuthn | Portal + bulk download | npi_number, member_id |
| Policyholder | Patient | DOB + SMS OTP | Portal (single retrieval) | email, date_of_birth, member_id |
| Auditor | HHS Investigator | Badge ID + NDA hash | Portal (read-only, no download) | badge_id, nda_hash |
Next Steps
