- The HL7 FHIR SMART Application Launch Framework Implementation Guide Release 2.0.0 is a newer version of the standard that is available for health IT developers to voluntarily update and provide to their customers. It became available when it was added to the Approved Standards for 2022 through ONC’s Standards Version Advancement Process (SVAP).
- Since FHIR transactions require the use of a FHIR client, client application registration and management is an integral component for apps using FHIR.
- UDAP Dynamic Client Registration provides an extension to RFC 7591 to better scale the registration and use of FHIR client apps. This profile has seen interest from numerous industry stakeholders as an alternative to manually re-registering apps at every different datasource and as a way to enable sharing of information about apps among datasources.
- UDAP is an open collaborative developing profiles to increase scalability, confidence, security, and trust in Open API ecosystems, and allows the re-use of identity proofing and credentialing processes already in place in existing national health information networks. These profiles are in draft status and are in pilot stage. UDAP DCR and Authentication/Authorization have been tested successfully at several HL7 FHIR connectathons and have received positive feedback from multiple stakeholders, including national health information networks, EHR vendors, patient privacy rights advocates, and app developers. These profiles are also compatible with SMART App Launch and UMA.
- The Security FHIR IG has been established upon the recommendations of ONC’s FHIR at Scale Taskforce (FAST) Security Tiger Team, and has been adapted from IGs previously published by UDAP.org. The objective of the IG is to harmonize workflows for both consumer-facing and B2B applications to facilitate cross-organizational and cross-network interoperability.
- System Authentication – The information and process necessary to authenticate the systems involved.
- User Authentication – The information and process necessary to authenticate the end user.
- User Details – Identifies the end user who is accessing the data.
- User Role – Identifies the roles and clearances asserted by the individual initiating the transaction for purposes of authorization. E.g., the system must verify the initiator’s claims and match them against the security labels for the functionalities that the user attempts to initiate and the objects the user attempts to access.
- Purpose of Use – Identifies the purpose for the transaction, and for the purposes for which the end user intends to use the accessed objects.
- Patient Consent Information – Identifies the patient consent information that may be required before data can be accessed.
- May be required to authorize any exchange of patient information
- May be required to authorized access and use of patient information
- May be required to be sent along with disclosed patient information to advise the receiver about policies to which end users must comply
- Query Request ID - Query requesting application assigns a unique identifier for each query request in order to match the response to the original query.
- Security Labeling – The health information is labeled with security metadata necessary for access control by the end user.