Printer Friendly, PDF & Email Printer Friendly, PDF & Email

§170.315(g)(10) Standardized API for patient and population services

Version 1.7 Updated on 08-02-2021
Resource Documents
Revision History
Version # Description of Change Version Date
1.0

Final Test Procedure

06-01-2020
1.1

Corrected typos. Corrected internal document references in Steps 12, 13, and 19 of “Authentication and Authorization for Patient and User Scopes.” Corrected applicable launch scenarios in Step 13 of “Authentication and Authorization for Patient and User Scopes.” Amended Step 10 of "Authentication and Authorization for Patient and User Scopes" by removing non-USCDI mapped US Core IG FHIR resources. 

08-07-2020
1.2

Updated compliance date, regulation text, and standard for trial use (STU) 3 Release 3.1.1 at § 170.215(2), per the IFR, Information Blocking and the ONC Health IT Certification Program: Extension of Compliance Dates and Timeframes in Response to the COVID-19 Public Health Emergency 

11-02-2020
1.3

Added step for issuance of a refresh token to native apps that are capable of storing a refresh token (Step 21 of "Paragraph (g)(10)(v)(A) - Authentication and authorization for patient and user scopes"). 

Removed "PractitionerRole" and "RelatedPerson" from multiple patient services data support list (Step 8 of "Paragraph (g)(10)(i) - Data response").

12-16-2020
1.4

Updated test procedure step regarding "offline_access" scope, enabling a health IT developer to demonstrate either support for the end-user to explicitly enable/disable the "offline_access" scope, or information communicating the application's request for the "offline_access" scope. 

04-02-2021
1.5

Corrected typo in Step 5 of “Paragraph (g)(10)(v)(B) – Authentication and authorization for system scopes” to indicate that the “cache-control” header is sent by the application. Added step for health IT developer to demonstrate the public location of its certified API technology service base URLs that can be used by patients to access their Electronic Health Information.

05-13-2021
1.6

Updated Step 13 of “Paragraph (g)(10)(v)(A) – Authentication and authorization for patient and user scopes” to indicate that only the “launch” parameter, in EHR-Launch mode, is tested against the “launch” parameter provided in Step 8. Added a new Step 14 to this section to indicate how the “aud” parameter is tested. Corrected a typo in Step 22 of this section to indicate refresh tokens are granted to native applications capable of securing a refresh token.

06-08-2021
1.7

Updated “Missing Data” requirements in section “Data Response Checks for Single and Multiple Patients” to clarify that health IT developers must demonstrate that Health IT Modules support “Missing Data” according to the US Core IG, including for non-coded and coded data elements.

08-02-2021
Regulation Text
Regulation Text

§ 170.315(g)(10) Standardized API for patient and population services

The following technical outcomes and conditions must be met through the demonstration of application programming interface technology.

  1. Data response.
    1. Respond to requests for a single patient’s data according to the standard adopted in § 170.215(a)(1) and implementation specification adopted in § 170.215(a)(2), including the mandatory capabilities described in “US Core Server CapabilityStatement,” for each of the data included in the standard adopted in § 170.213. All data elements indicated as “mandatory” and “must support” by the standards and implementation specifications must be supported.
    2. Respond to requests for multiple patients’ data as a group according to the standard adopted in § 170.215(a)(1), and implementation specifications adopted in § 170.215(a)(2) and (4), for each of the data included in the standard adopted in § 170.213. All data elements indicated as “mandatory” and “must support” by the standards and implementation specifications must be supported.
  2. Supported search operations.
    1. Respond to search requests for a single patient’s data consistent with the search criteria included in the implementation specification adopted in § 170.215(a)(2), specifically the mandatory capabilities described in “US Core Server CapabilityStatement”.
    2. Respond to search requests for multiple patients' data consistent with the search criteria included in the implementation specification adopted in § 170.215(a)(4).
  3. Application registration. Enable an application to register with the Health IT Module’s “authorization server.”
  4. Secure connection.
    1. Establish a secure and trusted connection with an application that requests data for patient and user scopes in accordance with the implementation specifications adopted in § 170.215(a)(2) and (3).
    2. Establish a secure and trusted connection with an application that requests data for system scopes in accordance with the implementation specification adopted in § 170.215(a)(4).
  5. Authentication and authorization.
    1. Authentication and authorization for patient and user scopes.
      1. First time connections.
        1. Authentication and authorization must occur during the process of granting access to patient data in accordance with the implementation specification adopted in § 170.215(a)(3) and standard adopted in § 170.215(b).
        2.  A Health IT Module’s authorization server must issue a refresh token valid for a period of no less than three months to applications capable of storing a client secret. 
        3. A Health IT Module’s authorization server must issue a refresh token for a period of no less than three months to native applications capable of securing a refresh token. 
      2. Subsequent connections.
        1. Access must be granted to patient data in accordance with the implementation specification adopted in§ 170.215(a)(3) without requiring re-authorization and re-authentication when a valid refresh token is supplied by the application.
        2. A Health IT Module’s authorization server must issue a refresh token valid for a new period of no less than three months to applications capable of storing a client secret. 
    2. Authentication and authorization for system scopes. Authentication and authorization must occur during the process of granting an application access to patient data in accordance with the “SMART Backend Services: Authorization Guide” section of the implementation specification adopted in § 170.215(a)(4) and the application must be issued a valid access token.
  6. Patient authorization revocation. A Health IT Module’s authorization server must be able to revoke an authorized application’s access at a patient’s direction.
  7. Token introspection. A Health IT Module’s authorization server must be able to receive and validate tokens it has issued.
  8. Documentation.
    1. The API(s) must include complete accompanying documentation that contains, at a minimum:
      1. API syntax, function names, required and optional parameters supported and their data types, return variables and their types/structures, exceptions and exception handling methods and their returns.
      2.  The software components and configurations that would be necessary for an application to implement in order to be able to successfully interact with the API and process its response(s).
      3. All applicable technical requirements and attributes necessary for an application to be registered with a Health IT Module’s authorization server.
    2. The documentation used to meet paragraph (g)(10)(viii)(A) of this section must be available via a publicly accessible hyperlink without any preconditions or additional steps.
Standard(s) Referenced

Paragraph (g)(10)(i)(A)

§ 170.215(a)(1) Health Level 7 (HL7®) Version 4.0.1 Fast Healthcare Interoperability Resources Specification (FHIR®) Release 4, October 30, 2019

§ 170.215(a)(2) FHIR® US Core Implementation Guide STU V3.1.1

§ 170.213 United States Core Data for Interoperability (USCDI)

Paragraph (g)(10)(i)(B)

§ 170.215(a)(1) HL7® Version 4.0.1 FHIR® Release 4, October 30, 2019

§ 170.215(a)(2) FHIR® US Core Implementation Guide STU V3.1.1

§ 170.213 USCDI

§ 170.215(a)(4) HL7®  FHIR Bulk Data Access (Flat FHIR) (V1.0.0:STU 1)

Paragraph (g)(10)(ii)(A)

§ 170.215(a)(2) FHIR® US Core Implementation Guide STU V3.1.1

Paragraph (g)(10)(ii)(B)

§ 170.215(a)(4) HL7® FHIR® Bulk Data Access (Flat FHIR®) (V1.0.0:STU 1)

Paragraph (g)(10)(iii)

None

Paragraph (g)(10)(iv)(A)

§ 170.215(a)(2) FHIR® US Core Implementation Guide STU V3.1.1

§ 170.215(a)(3) HL7® SMART Application Launch Framework Implementation Guide Release 1.0.0

Paragraph (g)(10)(iv)(B)

§ 170.215(a)(4) HL7® FHIR Bulk Data Access (Flat FHIR) (V1.0.0:STU 1)

Paragraph (g)(10)(v)(A)(1)

§ 170.215(a)(3) HL7® SMART Application Launch Framework Implementation Guide Release 1.0.0

§ 170.215(b) OpenID Connect Core 1.0 incorporating errata set 1

Paragraph (g)(10)(v)(A)(2)

§ 170.215(a)(3) HL7® SMART Application Launch Framework Implementation Guide Release 1.0.0

Paragraph (g)(10)(v)(B)

§ 170.215(a)(4) HL7® FHIR Bulk Data Access (Flat FHIR) (V1.0.0:STU 1)

Paragraph (g)(10)(vi)

None

Paragraph (g)(10)(vii)

None

Paragraph (g)(10)(viii)

None

Testing
Testing Tool

Inferno

Test Tool Documentation

Inferno User’s Guide

Please consult the Final Rule entitled: 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program and the Interim Final Rule (IFR), Information Blocking and the ONC Health IT Certification Program: Extension of Compliance Dates and Timeframes in Response to the COVID-19 Public Health Emergency for associated regulations and a detailed description of the certification criterion with which these testing steps are associated. Developers are encouraged to consult the Certification Companion Guide in tandem with the test procedure as these provide clarifications that may be useful for product development and testing.

Note: The order in which the test steps are listed reflects the sequence of the certification criterion and does not necessarily prescribe the order in which the test should take place.

Testing components

No GAP Icon Documentation Icon Visual Inspection Icon Test Tool Icon No ONC Supplied Test Data Icon

Paragraph (g)(10)(iii) – Application registration

System Under Test Test Lab Verification

Application Registration

  1. The health IT developer demonstrates the Health IT Module supports application registration with an authorization server for the purposes of Electronic Health Information (EHI) access for single patients, including support for application registration functions to enable authentication and authorization in § 170.315(g)(10)(v).
  2. The health IT developer demonstrates the Health IT Module supports application registration with an authorization server for the purposes of EHI access for multiple patients including support for application registration functions to enable authentication and authorization in § 170.315(g)(10)(v).

Application Registration

  1. The tester verifies the Health IT Module supports application registration with an authorization server for the purposes of EHI access for single patients, including support for application registration functions to enable authentication and authorization in § 170.315(g)(10)(v).
  2. The tester verifies the Health IT Module supports application registration with an authorization server for the purposes of EHI access for multiple patients including support for application registration functions to enable authentication and authorization in § 170.315(g)(10)(v).

Paragraph (g)(10)(iv) – Secure connection

System Under Test Test Lab Verification

Secure Connection

  1. For all transmissions between the Health IT Module and the application, the health IT developer demonstrates the use of a secure and trusted connection in accordance with the implementation specifications adopted in § 170.215(a)(2) and § 170.215(a)(3), including:
    • Using TLS version 1.2 or higher; and
    • Conformance to FHIR Communications Security requirements.

Secure Connection

  1. For all transmissions between the Health IT Module and the application, the tester verifies the use of a secure and trusted connection in accordance with the implementation specifications adopted in § 170.215(a)(2) and § 170.215(a)(3), including:
    • Using TLS version 1.2 or higher; and
    • Conformance to FHIR Communications Security requirements.

Paragraph (g)(10)(v)(A) – Authentication and authorization for patient and user scopes

System Under Test Test Lab Verification

Authentication and Authorization for Patient and User Scopes

  1. The health IT developer demonstrates the ability of the Health IT Module to support the following for “EHR-Launch,” “Standalone-Launch,” and “Both” (“EHR-Launch” and “Standalone-Launch”) as specified in the implementation specification adopted in § 170.215(a)(3).
  2. [EHR-Launch] The health IT developer demonstrates the ability of the Health IT Module to initiate a “launch sequence” using the “launch-ehr" “SMART on FHIR Core Capability” SMART EHR Launch mode detailed in the implementation specification adopted in § 170.215(a)(3), including:
    • Launching the registered launch URL of the application; and
    • Passing the parameters: “iss” and “launch”.
  3. [Standalone-Launch] The health IT developer demonstrates the ability of the Health IT Module to launch using the “launch-standalone" “SMART on FHIR Core Capability” SMART Standalone Launch mode detailed in the implementation specification adopted in § 170.215(a)(3).
  4. [Standalone-Launch] The health IT developer demonstrates the ability of the Health IT Module to support SMART’s public client profile.
  5. [Both] The health IT developer demonstrates the ability of the Health IT Module to support the following as detailed in the implementation specification adopted in § 170.215(a)(3) and standard adopted in § 170.215(a)(1):
    • The “.well-known/smart-configuration.json” path; and
    • A FHIR “CapabilityStatement”.
  6. [Both] The health IT developer demonstrates the ability of the “.well-known/smart-configuration.json” path to support at least the following as detailed in the implementation specification adopted in § 170.215(a)(3):
    • “authorization_endpoint”;
    • “token_endpoint”; and
    • “capabilities” (including support for all the “SMART on FHIR Core Capabilities”).
  7. [Both] The health IT developer demonstrates the ability of the FHIR “CapabilityStatement” to support at least the following components as detailed in the implementation specification adopted in § 170.215(a)(3) and standard adopted in § 170.215(a)(1), including:
    • “authorize”; and
    • “token”.
  8. [Both] The health IT developer demonstrates the ability of the Health IT Module to receive an authorization request according to the implementation specification adopted in § 170.215(a)(3), including support for the following parameters:
    • “response_type”;
    • “client_id”;
    • “redirect_uri”;
    • “launch” (for EHR-Launch mode only);
    • “scope”;
    • “state”; and
    • “aud”.
  9. [Both] The health IT developer demonstrates the ability of the Health IT Module to support the receipt of the following scopes and capabilities according to the implementation specification adopted in § 170.215(a)(3) and standard adopted in § 170.215(b):
    • “openid” (to support “sso-openid-connect” “SMART on FHIR Core Capability”);
    • “fhirUser” (to support “sso-openid-connect” “SMART on FHIR Core Capability”);
    • “need_patient_banner” (to support “context-banner” “SMART on FHIR Core Capability” for EHR-Launch mode only);
    • “smart_style_url” (to support “context-style” “SMART on FHIR Core Capability” for EHR-Launch mode only);
    • “launch/patient” (to support “context-standalone-patient” “SMART on FHIR Core Capability” for Standalone-Launch mode only);
    • “launch” (for EHR-Launch mode only);
    • “offline_access” (to support “permission-offline” “SMART on FHIR Core Capability”);
    • Patient-level scopes (to support “permission-patient” “SMART on FHIR Core Capability”); and
    • User-level scopes (to support “permission-user” “SMART on FHIR Core Capability”).
  10. [Both] The health IT developer demonstrates the ability of the Health IT Module to evaluate the authorization request and request end-user input, if applicable (required for patient-facing applications), including the ability for the end-user to authorize an application to receive EHI based on FHIR resource-level scopes for all of the FHIR resources associated with the profiles specified in the standard adopted in § 170.213 and implementation specification adopted in § 170.215(a)(2), including:
    • “AllergyIntolerance”;
    • “CarePlan”;
    • “CareTeam”;
    • “Condition”;
    • “Device”;
    • “DiagnosticReport”;
    • “DocumentReference”;
    • “Goal”;
    • “Immunization”;
    • “Medication” (if supported);
    • “MedicationRequest”;
    • “Observation”;
    • “Patient”;
    • “Procedure”; and
    • “Provenance”.
  11. [Both] The health IT developer demonstrates the ability of the Health IT Module to evaluate the authorization request and request end-user input, if applicable (required for patient-facing applications), including either the ability for the end-user to explicitly enable / disable the “offline_access” scope or information communicating the application’s request for the “offline_access” scope.
  12. [Both] The health IT developer demonstrates the ability of the Health IT Module to deny an application’s authorization request according to a patient’s preferences selected in steps 10 and 11 of this section in accordance with the implementation specification adopted in § 170.215(a)(3).
  13. [EHR-Launch] The health IT developer demonstrates the ability of the Health IT Module to return an error response if the "launch" parameter provided by an application to the Health IT Module in step 8 of this section does not match the "launch" parameter originally provided to an application by the Health IT Module in step 2 of this section according to the implementation specification adopted in § 170.215(a)(3).
  14. [Both] The health IT developer demonstrates the ability of the Health IT Module to return an error response if the "aud" parameter provided by an application to the Health IT Module in Step 8 is not a valid FHIR resource server associated with the Health IT Module's authorization server.
  15. [Both] The health IT developer demonstrates the ability of the Health IT Module to grant an application access to EHI by returning an authorization code to the application according to the implementation specification adopted in § 170.215(a)(3), including the following parameters:
    • “code”; and
    • “state”.
  16. [Both] The health IT developer demonstrates the ability of the Health IT Module to receive the following parameters from an application according to the implementation specification adopted in § 170.215(a)(3):
    • “grant_type”;
    • “code”;
    • “redirect_uri”;
    • “client_id”; and
    • Authorization header including “client_id” and “client_secret”.
  17. [Both] The health IT developer demonstrates the ability of the Health IT Module to return a JSON object to applications according to the implementation specification adopted in § 170.215(a)(3) and standard adopted in § 170.215(b), including the following:
    • “access_token”;
    • “token_type”;
    • “scope”;
    • “id_token”;
    • “refresh_token” (valid for a period of no shorter than three months);
    • HTTP “Cache-Control” response header field with a value of “no-store”;
    • HTTP “Pragma” response header field with a value of “no-cache”;
    • “patient” (to support “context-ehr-patient” and “context-standalone-patient” “SMART on FHIR Core Capabilities”);
    • “need_patient_banner” (to support “context-banner” “SMART on FHIR Core Capability” for EHR-Launch mode only); and
    • “smart_style_url” (to support “context-style” “SMART on FHIR Core Capability” for EHR-Launch mode only).
  18. [Both] The health IT developer demonstrates the ability of the Health IT Module to provide an OpenID Connect well-known URI in accordance with the implementation specification adopted in § 170.215(b), including:
    • All required fields populated according to implementation specification adopted in § 170.215(b); and
    • Valid JWKS populated according to implementation specification can be retrieved via JWKS URI
  19. [Both] The health IT developer demonstrates the ability of the Health IT Module to deny an application’s authorization request in accordance with the implementation specification adopted in § 170.215(a)(3).
  20. [Standalone-Launch] The health IT developer demonstrates the ability of the Health IT Module to return a “Patient” FHIR resource that matches the patient context provided in step 9 of this section according to the implementation specification adopted in § 170.215(a)(2).
  21. [Both] The health IT developer demonstrates the ability of the Health IT Module to grant an access token when a refresh token is supplied according to the implementation specification adopted in § 170.215(a)(2).
  22. [Both] The health IT developer demonstrates the ability of the Health IT Module to grant a refresh token valid for a period of no less than three months to native applications capable of securing a refresh token. 

Subsequent Connections: Authentication and Authorization for Patient and User Scopes

  1. The health IT developer demonstrates the ability of the Health IT Module to issue a new refresh token valid for a period of no shorter than three months without requiring re-authentication and re-authorization when a valid refresh token is supplied by the application according to the implementation specification adopted in § 170.215(a)(3).
  2. The health IT developer demonstrates the ability of the Health IT Module to return an error response when supplied an invalid refresh token as specified in the implementation specification adopted in § 170.215(a)(3).

Authentication and Authorization for Patient and User Scopes

  1. The tester verifies the ability of the Health IT Module to support the following for “EHR-Launch,” “Standalone-Launch,” and “Both” (“EHR-Launch” and “Standalone-Launch”) as specified in the implementation specification adopted in § 170.215(a)(3).
  2. [EHR-Launch] The tester verifies the ability of the Health IT Module to initiate a “launch sequence” using the “launch-ehr" “SMART on FHIR Core Capability” SMART EHR Launch mode detailed in the implementation specification adopted in § 170.215(a)(3), including:
    • Launching the registered launch URL of the application; and
    • Passing the parameters: “iss” and “launch”.
  3. [Standalone-Launch] The tester verifies the ability of the Health IT Module to launch using the “launch-standalone" “SMART on FHIR Core Capability” SMART Standalone Launch mode detailed in the implementation specification adopted in § 170.215(a)(3).
  4. [Standalone-Launch] The tester verifies the ability of the Health IT Module to support SMART’s public client profile.
  5. [Both] The tester verifies the ability of the Health IT Module to support the following as detailed in the implementation specification adopted in § 170.215(a)(3) and standard adopted in § 170.215(a)(1):
    • The “.well-known/smart-configuration.json” path; and
    • A FHIR “CapabilityStatement”.
  6. [Both] The tester verifies the ability of the “.well-known/smart-configuration.json” path to support at least the following as detailed in the implementation specification adopted in § 170.215(a)(3):
    • “authorization_endpoint”;
    • “token_endpoint”; and
    • “capabilities” (including support for all the “SMART on FHIR Core Capabilities”).
  7. [Both] The tester verifies the ability of the FHIR “CapabilityStatement” to support at least the following components as detailed in the implementation specification adopted in § 170.215(a)(3) and standard adopted in § 170.215(a)(1), including:
    • “authorize”; and
    • “token”.
  8. [Both] The tester verifies the ability of the Health IT Module to receive an authorization request according to the implementation specification adopted in § 170.215(a)(3), including support for the following parameters:
    • “response_type”;
    • “client_id”;
    • “redirect_uri”;
    • “launch” (for EHR-Launch mode only);
    • “scope”;
    • “state”; and
    • “aud”.
  9. [Both] The tester verifies the ability of the Health IT Module to support the receipt of the following scopes according to the implementation specification adopted in § 170.215(a)(3) and standard adopted in § 170.215(b):
    • “openid” (to support “sso-openid-connect” “SMART on FHIR Core Capability”);
    • “fhirUser” (to support “sso-openid-connect” “SMART on FHIR Core Capability”);
    • “need_patient_banner” (to support “context-banner” “SMART on FHIR Core Capability” for EHR-Launch mode only);
    • “smart_style_url” (to support “context-style” “SMART on FHIR Core Capability” for EHR-Launch mode only);
    • “launch/patient” (to support “context-standalone-patient” “SMART on FHIR Core Capability” for Standalone-Launch mode only);
    • “launch” (for EHR-Launch mode only);
    • “offline_access” (to support “permission-offline” “SMART on FHIR Core Capability”);
    • Patient-level scopes (to support “permission-patient” “SMART on FHIR Core Capability”); and
    • User-level scopes (to support “permission-user” “SMART on FHIR Core Capability”).
  10. [Both] The tester verifies the ability of the Health IT Module to evaluate the authorization request and request end-user input, if applicable (required for patient-facing applications), including the ability for the end-user to authorize an application to receive EHI based on FHIR resource-level scopes for all of the FHIR resources associated with the profiles specified in the standard adopted in § 170.213 and implementation specification adopted in § 170.215(a)(2), including:
    • “AllergyIntolerance”;
    • “CarePlan”;
    • “CareTeam”;
    • “Condition”;
    • “Device”;
    • “DiagnosticReport”;
    • “DocumentReference”;
    • “Goal”;
    • “Immunization”;
    • “Location”;
    • “Medication” (if supported);
    • “MedicationRequest”;
    • “Observation”;
    • "Patient";
    • “Procedure”; and
    • “Provenance”.
  11. [Both] The tester verifies the ability of the Health IT Module to evaluate the authorization request and request end-user input, if applicable (required for patient-facing applications), including either the ability for the end-user to explicitly enable / disable the “offline_access” scope or information communicating the application’s request for the “offline_access” scope.
  12. [Both] The tester verifies the ability of the Health IT Module to deny an application’s authorization request according to a patient’s preferences selected in steps 10 and 11 of this section in accordance with the implementation specification adopted in § 170.215(a)(3).
  13. [EHR-Launch] The tester verifies the ability of the Health IT Module to return an error response if the “launch” parameter provided by an application to the Health IT Module in step 8 of this section does not match the “launch” parameter originally provided to an application by the Health IT Module in step 2 of this section according to the implementation specification adopted in § 170.215(a)(3).
  14. [Both] The tester verifies the ability of the Health IT Module to return an error response if the "aud" parameter provided by an application to the Health IT Module in Step 8 is not a valid FHIR resource server associated with the Health IT Module's authorization server.
  15. [Both] The tester verifies the ability of the Health IT Module to grant an application access to EHI by returning an authorization code to the application according to the implementation specification adopted in § 170.215(a)(3), including the following parameters:
    • “code”; and
    • “state”.
  16. [Both] The tester verifies the ability of the Health IT Module to receive the following parameters from an application according to the implementation specification adopted in § 170.215(a)(3):
    • “grant_type”;
    • “code”;
    • “redirect_uri”;
    • “client_id”; and
    • Authorization header including “client_id” and “client_secret”.
  17. [Both] The tester verifies the ability of the Health IT Module to return a JSON object to applications according to the implementation specification adopted in § 170.215(a)(3) and standard adopted in § 170.215(b), including the following:
    • “access_token”;
    • “token_type”;
    • “scope”;
    • “id_token”;
    • “refresh_token” (valid for a period of no shorter than three months);
    • HTTP “Cache-Control” response header field with a value of “no-store”;
    • HTTP “Pragma” response header field with a value of “no-cache”;
    • “patient” (to support “context-ehr-patient” and “context-standalone-patient” “SMART on FHIR Core Capabilities”);
    • “need_patient_banner” (to support “context-banner” “SMART on FHIR Core Capability” for EHR-Launch mode only); and
    • “smart_style_url” (to support “context-style” “SMART on FHIR Core Capability” for EHR-Launch mode only).
  18. [Both] The tester verifies the ability of the Health IT Module to provide an OpenID Connect well-known URI in accordance with the implementation specification adopted in § 170.215(b), including:
    • All required fields populated according to implementation specification adopted in § 170.215(b)
    • Valid JWKS populated according to implementation specification can be retrieved via JWKS URI
  19. [Both] The tester verifies the ability of the Health IT Module to deny an application’s authorization request in accordance with the implementation specification adopted in § 170.215(a)(3).
  20. [Standalone-Launch] The tester verifies the ability of the Health IT Module to return a “Patient” FHIR resource that matches the patient context provided in step 9 of this section according to the implementation specification adopted in § 170.215(a)(2).
  21. [Both] The tester verifies the ability of the Health IT Module to grant an access token when a refresh token is supplied according to the implementation specification adopted in § 170.215(a)(2).
  22. [Both] The tester verifies the ability of the Health IT Module to grant a refresh token valid for a period of no less than three months to native applications capable of securing a refresh token. 

Subsequent Connections: Authentication and Authorization for Patient and User Scopes

  1. The tester verifies the ability of the Health IT Module to issue a new refresh token valid for a new period of no shorter than three months without requiring re-authentication and re-authorization when a valid refresh token is supplied by the application according to the implementation specification adopted in § 170.215(a)(3).
  2. The tester verifies the ability of the Health IT Module to return an error response when supplied an invalid refresh token as specified in the implementation specification adopted in § 170.215(a)(3).

Paragraph (g)(10)(vi) – Patient authorization revocation

System Under Test Test Lab Verification

Patient Authorization Revocation

  1. The health IT developer demonstrates the ability of the Health IT Module to revoke access to an authorized application at a patient’s direction, including a demonstration of the inability of the application with revoked access to receive patient EHI.

Patient Authorization Revocation

  1. The tester verifies the ability of the Health IT Module to revoke access to an authorized application at a patient’s direction, including a demonstration of the inability of the application with revoked access to receive patient EHI.

Paragraph (g)(10)(v)(B) – Authentication and authorization for system scopes

System Under Test Test Lab Verification

Authentication and Authorization for System Scopes

  1. The health IT developer demonstrates the ability of the Health IT Module to support OAuth 2.0 client credentials grant flow in accordance with the implementation specification adopted in § 170.215(a)(4).
  2. The health IT developer demonstrates the ability of the Health IT Module to support the following parameters according to the implementation specification adopted in § 170.215(a)(4):
    • “scope”;
    • “grant_type”;
    • “client_assertion_type”; and
    • “client_assertion”.
  3. The health IT developer demonstrates the ability of the Health IT Module to support the following JSON Web Token (JWT) Headers and Claims according to the implementation specification adopted in § 170.215(a)(4):
    • “alg” header;
    • “kid” header;
    • “typ” header;
    • “iss” claim;
    • “sub” claim;
    • “aud” claim;
    • “exp” claim; and
    • “jti” claim.
  4. The health IT developer demonstrates the ability of the Health IT Module to receive and process the JSON Web Key (JWK) Set via a TLS-protected URL to support authorization for system scopes in § 170.315(g)(10)(v)(B).
  5. The health IT developer demonstrates that the Health IT Module does not cache a JWK Set received via a TLS-protected URL for longer than the “cache-control” header sent by an application indicates.
  6. The health IT developer demonstrates the ability of the Health IT Module to validate an application’s JWT, including its JSON Web Signatures, according to the implementation specification adopted in § 170.215(a)(4).
  7. The health IT developer demonstrates the ability of the Health IT Module to respond with an “invalid_client” error for errors encountered during the authentication process according to the implementation specification adopted in § 170.215(a)(4).
  8. The health IT developer demonstrates the ability of the Health IT Module to assure the scope granted based on the scope requested by an application is no greater than the pre-authorized scope for multiple patients according to the implementation specification adopted in § 170.215(a)(4).
  9. The health IT developer demonstrates the ability of the Health IT Module to issue an access token to an application as a JSON object in accordance with the implementation specification adopted in § 170.215(a)(4), including the following property names:
    • “access_token”;
    • “token_type”;
    • “expires_in”; and
    • “scope”.
  10. The health IT developer demonstrates the ability of the Health IT Module to respond to errors using the appropriate error messages as specified in the implementation specification adopted in § 170.215(a)(4).

Authentication and Authorization for System Scopes

  1. The tester verifies the ability of the Health IT Module to support OAuth 2.0 client credentials grant flow in accordance with the implementation specification adopted in § 170.215(a)(4).
  2. The tester verifies the ability of the Health IT Module to support the following parameters according to the implementation specification adopted in § 170.215(a)(4):
    • “scope”;
    • “grant_type”;
    • “client_assertion_type”; and
    • “client_assertion”.
  3. The tester verifies the ability of the Health IT Module to support the following JSON Web Token (JWT) Headers and Claims according to the implementation specification adopted in § 170.215(a)(4):
    • “alg” header;
    • “kid” header;
    • “typ” header;
    • “iss” claim;
    • “sub” claim;
    • “aud” claim;
    • “exp” claim; and
    • “jti” claim.
  4. The tester verifies the ability of the Health IT Module to receive and process the JWK structure via a TLS-protected URL to support authorization for system scopes in § 170.315(g)(10)(v)(B).
  5. The tester verifies that the Health IT Module does not cache a JWK Set received via a TLS-protected URL for longer than the “cache-control” header sent by an application indicates.
  6. The tester verifies the ability of the Health IT Module to validate an application’s JWT, including its JSON Web Signatures, according to the implementation specification adopted in § 170.215(a)(4).
  7. The tester verifies the ability of the Health IT Module to respond with an “invalid_client” error for errors encountered during the authentication process according to the implementation specification adopted in § 170.215(a)(4).
  8. The tester verifies the ability of the Health IT Module to assure the scope granted based on the scope requested by an application is no greater than the pre-authorized scope for multiple patients according to the implementation specification adopted in § 170.215(a)(4).
  9. The tester verifies the ability of the Health IT Module to issue an access token to an application as a JSON object in accordance with the implementation specification adopted in § 170.215(a)(4), including the following property names:
    • “access_token”;
    • “token_type”;
    • “expires_in”; and
    • “scope”.
  10. The tester verifies the ability of the Health IT Module to respond to errors using the appropriate error messages as specified in the implementation specification adopted in § 170.215(a)(4).

Paragraph (g)(10)(vii) – Token introspection

System Under Test Test Lab Verification

Token Introspection

  1. The health IT developer demonstrates the ability of the Health IT Module to receive and validate a token it has issued.

Token Introspection

  1. The tester verifies the ability of the Health IT Module to receive and validate a token it has issued.

Paragraph (g)(10)(ii) – Supported search operations

System Under Test Test Lab Verification

Supported Search Operations for a Single Patient’s Data

  1. The health IT developer demonstrates the ability of the Health IT Module to support the “capabilities” interaction as specified in the standard adopted in § 170.215(a)(1), including support for a “CapabilityStatement” as specified in the standard adopted in § 170.215(a)(1) and implementation specification adopted in § 170.215(a)(2).
  2. The health IT developer demonstrates the ability of the Health IT Module to respond to requests for a single patient’s data consistent with the search criteria detailed in the “US Core Server CapabilityStatement” section of the implementation specification adopted in § 170.215(a)(2), including demonstrating search support for “SHALL” operations and parameters for all the data included in the standard adopted in § 170.213.
  3. The health IT developer demonstrates the ability of the Health IT Module to support a resource search for the provenance target “(_revIncludes: Provenance:target)” for all the FHIR resources included in the standard adopted in § 170.213 and implementation specification adopted in § 170.215(a)(2) according to the “Basic Provenance Guidance” section of the implementation specification adopted in § 170.215(a)(2).

Supported Search Operations for Multiple Patients’ Data

  1. The health IT developer demonstrates the ability of the Health IT Module to support the “capabilities” interaction as specified in the standard adopted in § 170.215(a)(1), including support for a “CapabilityStatement” as specified in the standard adopted in § 170.215(a)(1) and implementation specification adopted in § 170.215(a)(4).
  2. The health IT developer demonstrates the ability of the Health IT Module to support requests for multiple patients’ data as a group using the “group-export” operation as detailed in the implementation specification adopted in § 170.215(a)(4).

Supported Search Operations for a Single Patient’s Data

  1. The tester verifies the ability of the Health IT Module to support the “capabilities” interaction as specified in the standard adopted in § 170.215(a)(1), including support for a “CapabilityStatement” as specified in the standard adopted in § 170.215(a)(1) and implementation specification adopted in § 170.215(a)(2).
  2. The tester verifies the ability of the Health IT Module to respond to requests for a single patient’s data consistent with the search criteria detailed in the “US Core Server CapabilityStatement” section of the implementation specification adopted in § 170.215(a)(2), including demonstrating search support for “SHALL” operations and parameters for all the data included in the standard adopted in § 170.213.
  3. The tester verifies the ability of the Health IT Module to support a resource search for the provenance target “(_revIncludes: Provenance:target)” for all the FHIR resources included in the standard adopted in § 170.213 and implementation specification adopted in § 170.215(a)(2) according to the “Basic Provenance Guidance” section of the implementation specification adopted in § 170.215(a)(2).

Supported Search Operations for Multiple Patients’ Data

  1. The tester verifies the ability of the Health IT Module to support the “capabilities” interaction as specified in the standard adopted in § 170.215(a)(1), including support for a “CapabilityStatement” as specified in the standard adopted in § 170.215(a)(1) and implementation specification adopted in § 170.215(a)(4).
  2. The tester verifies the ability of the Health IT Module to support requests for multiple patients’ data as a group using the “group-export” operation as detailed in the implementation specification adopted in § 170.215(a)(4).

Paragraph (g)(10)(i) – Data response

System Under Test Test Lab Verification

Data Response Checks for Single and Multiple Patients

  1. For responses to data for single and multiple patients as described in steps 7 and 8 of this section respectively, the health IT developer demonstrates the ability of the Health IT Module to respond to requests for data according to the implementation specification adopted in § 170.215(a)(2), including the following steps.
  2. The health IT developer demonstrates the ability of the Health IT Module to respond with data that meet the following conditions:
    • All data elements indicated with a cardinality of one or greater and / or “must support” are included;
    • Content is structurally correct;
    • All invariant rules are met;
    • All data elements with required “ValueSet” bindings contain codes within the bound “ValueSet”;
    • All information is accurate and without omission; and
    • All references within the resources can be resolved and validated, as applicable, according to steps 2-6 of this section.
  3. The health IT developer demonstrates the ability of the Health IT Module to support a “Provenance” FHIR resource for all the FHIR resources included in the standard adopted in § 170.213 and implementation specification adopted in § 170.215(a)(2) according to the “Basic Provenance Guidance” section of the implementation specification adopted in § 170.215(a)(2).
  4. The health IT developer demonstrates the ability of the Health IT Module to support a “DocumentReference” and/or "DiagnosticReport" FHIR resource for each of the “Clinical Notes” and “Diagnostic Reports” included in and according to the “Clinical Notes Guidance” section of the implementation specification adopted in § 170.215(a)(2).
  5. If supported, and for responses to data for a single patient only, the health IT developer demonstrates the ability of the Health IT Module to support a “Medication” FHIR resource according to the “Medication List Guidance” section of the implementation specification adopted in § 170.215(a)(2).
  6. The health IT developer demonstrates the ability of the Health IT Module to support “Missing Data” according to the implementation specification adopted in § 170. 215(a)(2), including:
    • For non-coded data elements; and
    • For coded data elements, including support for the “DataAbsentReason” Code System.

Note: We require the health IT developers to demonstrate support for the tests above for both responses to requests for a single patient’s data and responses to requests for multiple patients’ data because we make no assumption regarding the re-use of technical infrastructure for “read” services for single and multiple patients in Health IT Modules.

Response to Requests for a Single Patient’s Data

  1. The health IT developer demonstrates the ability of the Health IT Module to return all of the data associated with requests for a single patient’s data according to the “US Core Server CapabilityStatement” section of the implementation specification adopted in § 170.215(a)(2) for all the data included in the standard adopted in § 170.213.

Response to Requests for Multiple Patients’ Data

  1. The health IT developer demonstrates the ability of the Health IT Module to respond to requests for multiple patients’ data according to the implementation specification adopted in § 170.215(a)(4) for all of the FHIR resources associated with the profiles and Data Elements specified in and according to the standard adopted in § 170.213 and implementation specification adopted in § 170.215(a)(2), including the following FHIR resources:
    • “AllergyIntolerance”;
    • “CarePlan”;
    • “CareTeam”;
    • “Condition”;
    • “Device”;
    • “DiagnosticReport”;
    • “DocumentReference”;
    • “Encounter”;
    • “Goal”;
    • “Immunization”;
    • “Location”;
    • “Medication” (if supported);
    • “MedicationRequest”;
    • “Observation”;
    • “Organization”;
    • "Patient";
    • “Practitioner”;
    • “Procedure”; and
    • “Provenance”.
  2. The health IT developer demonstrates the ability of the Health IT Module to limit the data returned to only those FHIR resources for which the client is authorized according to the implementation specification adopted in § 170.215(a)(4).
  3. The health IT developer demonstrates the ability of the Health IT Module to support a successful data response according to the implementation adopted in § 170.215(a)(4).
  4. The health IT developer demonstrates the ability of the Health IT Module to support a data response error according to the implementation adopted in § 170.215(a)(4).
  5. The health IT developer demonstrates the ability of the Health IT Module to support a bulk data delete request according to the implementation specification adopted in § 170.215(a)(4).
  6. The health IT developer demonstrates the ability of the Health IT Module to support a bulk data status request according to the implementation specification adopted in § 170.215(a)(4).
  7. The health IT developer demonstrates the ability of the Health IT Module to support a file request according to the implementation specification adopted in § 170.215(a)(4), including support for the “ndjson” format for files provided.
  8. The health IT developer demonstrates that the information provided as part of this data response includes data for patients in the group identifier provided during the “group-export” request.

Data Response Checks for Single and Multiple Patients

  1. For responses to data for single and multiple patients as described in steps 7 and 8 of this section respectively, the tester verifies the ability of the Health IT Module to respond to requests for data according to the implementation specification adopted in § 170.215(a)(2), including the following steps.
  2. The tester verifies the ability of the Health IT Module to respond with data that meet the following conditions:
    • All data elements indicated with a cardinality of one or greater and / or “must support” are included;
    • Content is structurally correct;
    • All invariant rules are met;
    • All data elements with required “ValueSet” bindings contain codes within the bound “ValueSet”;
    • All information is accurate and without omission; and
    • All references within the resources can be resolved and validated, as applicable, according to steps 2-6 of this section.
  3. The tester verifies the ability of the Health IT Module to support a “Provenance” FHIR resource for all the FHIR resources included in the standard adopted in § 170.213 and implementation specification adopted in § 170.215(a)(2) according to the “Basic Provenance Guidance” section of the implementation specification adopted in § 170.215(a)(2).
  4. The tester verifies the ability of the Health IT Module to support a “DocumentReference” and/or "DiagnosticReport" FHIR resource for each of the “Clinical Notes” and “Diagnostic Reports” included in and according to the “Clinical Notes Guidance” section of the implementation specification adopted in § 170.215(a)(2).
  5. If supported, and for responses to data for a single patient only, the tester verifies the ability of the Health IT Module to support a “Medication” FHIR resource according to the “Medication List Guidance” section of the implementation specification adopted in § 170.215(a)(2).
  6. The tester verifies the ability of the Health IT Module to support “Missing Data” according to the implementation specification adopted in § 170. 215(a)(2), including:
    • For non-coded data elements; and
    • For coded data elements, including support for the “DataAbsentReason” Code System.

Note: We require the tester to verify support for the tests above for both responses to requests for a single patient’s data and responses to requests for multiple patients’ data because we make no assumption regarding the re-use of technical infrastructure for “read” services for single and multiple patients in Health IT Modules.

Response to Requests for a Single Patient’s Data

  1. The tester verifies the ability of the Health IT Module to return all of the data associated with requests for a single patient’s data according to the “US Core Server CapabilityStatement” section of the implementation specification adopted in § 170.215(a)(2) for all the data included in the standard adopted in § 170.213.

Response to Requests for Multiple Patients’ Data

  1. The tester verifies the ability of the Health IT Module to respond to requests for multiple patients’ data according to the implementation specification adopted in § 170.215(a)(4) for all of the FHIR resources associated with the profiles and Data Elements specified in and according to the standard adopted in § 170.213 and implementation specification adopted in § 170.215(a)(2), including the following FHIR resources:
    • “AllergyIntolerance”;
    • “CarePlan”;
    • “CareTeam”;
    • “Condition”;
    • “Device”;
    • “DiagnosticReport”;
    • “DocumentReference”;
    • “Encounter”;
    • “Goal”;
    • “Immunization”;
    • “Location”;
    • “Medication” (if supported);
    • “MedicationRequest”;
    • “Observation”;
    • “Organization”;
    • "Patient"
    • “Practitioner”;
    • “Procedure”; and
    • “Provenance”.
  2. The tester verifies the ability of the Health IT Module to limit the data returned to only those FHIR resources for which the client is authorized according to the implementation specification adopted in § 170.215(a)(4).
  3. The tester verifies the ability of the Health IT Module to support a successful data response according to the implementation adopted in § 170.215(a)(4).
  4. The tester verifies the ability of the Health IT Module to support a data response error according to the implementation adopted in § 170.215(a)(4).
  5. The tester verifies the ability of the Health IT Module to support a bulk data delete request according to the implementation specification adopted in § 170.215(a)(4).
  6. The tester verifies the ability of the Health IT Module to support a bulk data status request according to the implementation specification adopted in § 170.215(a)(4).
  7. The tester verifies the ability of the Health IT Module to support a file request according to the implementation specification adopted in § 170.215(a)(4), including support for the “ndjson” format for files provided.
  8. The tester verifies that the information provided as part of this data response includes data for patients in the group identifier provided during the “group-export” request.

Paragraph (g)(10)(viii) – Documentation

System Under Test Test Lab Verification

API Documentation Requirements

  1. The health IT developer supplies documentation describing the API(s) of the Health IT Module and includes at a minimum:
    • API syntax;
    • Function names;
    • Required and optional parameters supported and their data types;
    • Return variables and their types/structures;
    • Exceptions and exception handling methods and their returns;
    • Mandatory software components;
    • Mandatory software configurations; and
    • All technical requirements and attributes necessary for registration.
  2. The health IT developer demonstrates that the documentation described in step 1 of this section is available via a publicly accessible hyperlink that does not require preconditions or additional steps to access.
  3. To fulfill the API Maintenance of Certification requirement at § 170.404(b)(2), the health IT developer demonstrates the public location of its certified API technology service base URLs. 

API Documentation Requirements

  1. The tester verifies that the documentation supplied by the health IT developer describing the API(s) of the Health IT Module includes at a minimum:
    • API syntax;
    • Function names;
    • Required and optional parameters supported and their data types;
    • Return variables and their types/structures;
    • Exceptions and exception handling methods and their returns;
    • Mandatory software components;
    • Mandatory software configurations; and
    • All technical requirements and attributes necessary for registration.
  2. The tester verifies that the documentation described in step 1 of this section is available via a publicly accessible hyperlink that does not require preconditions or additional steps to access.
  3. To fulfill the API Maintenance of Certification requirement at § 170.404(b)(2), the tester verifies the public location of the health IT developer's certified API technology service base URLs. 

Version 1.7 Updated on 07-27-2021
Resource Documents
Revision History
Version # Description of Change Version Date
1.0

Initial Publication

06-15-2020
1.1

Amended text to remove pronoun "we," added clarifications based on gaps between United States Core Data for Interoperability (USCDI) and US Core Implementation Guide (IG), clarified "must support" references, removed requirement for patient facing scopes based on US Core IG "must support" references, added clarification for "Encounter," added clarification for launch scenarios included in testing and certification, added clarification regarding US Core IG LOINC code for testing and certification. 

08-07-2020
1.2

Updated compliance date, regulatory text, and standard for trial use (STU) 3 Release 3.1.1 at § 170.215(2), per the Interim Final Rule (IFR), Information Blocking and the ONC Health IT Certification Program: Extension of Compliance Dates and Timeframes in Response to the COVID-19 Public Health EmergencyAdded clarification for USCDI / US Core IG Provenance.  Added clarification for US Core IG “must support” elements with multiple Choices and References.

11-02-2020
1.3

Updated clarifications based on adoption of US Core IG 3.1.1, which include removing USCDI "allergy intolerance," USCDI "head circumference," and US Core IG "RelatedPerson" and "PractitionerRole" clarifications. Addressed typo in 170.315 (g)(10)(vii) by removing duplicative test "is not supported."

12-16-2020
1.4

Added clarification regarding the standardized API conformance expectations of legacy information for the ONC Health IT Certification Program. Added clarification regarding the handling of SMART IG patient/[resource] and user[resource] scopes and US Core IG resources. Added clarification about refresh token support for native applications. Finally, added clarification regarding the SMART IG "permission-offline" SMART on FHIR Core Capability. 

04-02-2021
1.5

Added clarification regarding refresh token support for native applications and  SMART Application Launch Framework Implementation Guide Release 1.0.0 standard (incorporated by reference at § 170.215(a)(3))

05-13-2021
1.6

Fixed broken links to “Basic Provenance Guidance” section of the US Core IG.

06-10-2021
1.7

Added paragraph adopting “FHIR Bulk Data Access (Flat FHIR) (v1.0.1: STU 1)” in ONC Certification Program, which includes technical errata for “FHIR Bulk Data Access (Flat FHIR) (v1.0.0: STU 1)”.

07-27-2021
Regulation Text
Regulation Text

§ 170.315(g)(10) Standardized API for patient and population services

The following technical outcomes and conditions must be met through the demonstration of application programming interface technology.

  1. Data response.
    1. Respond to requests for a single patient’s data according to the standard adopted in § 170.215(a)(1) and implementation specification adopted in § 170.215(a)(2), including the mandatory capabilities described in “US Core Server CapabilityStatement,” for each of the data included in the standard adopted in § 170.213. All data elements indicated as “mandatory” and “must support” by the standards and implementation specifications must be supported.
    2. Respond to requests for multiple patients’ data as a group according to the standard adopted in § 170.215(a)(1), and implementation specifications adopted in § 170.215(a)(2) and (4), for each of the data included in the standard adopted in § 170.213. All data elements indicated as “mandatory” and “must support” by the standards and implementation specifications must be supported.
  2. Supported search operations.
    1. Respond to search requests for a single patient’s data consistent with the search criteria included in the implementation specification adopted in § 170.215(a)(2), specifically the mandatory capabilities described in “US Core Server CapabilityStatement”.
    2. Respond to search requests for multiple patients' data consistent with the search criteria included in the implementation specification adopted in § 170.215(a)(4).
  3. Application registration. Enable an application to register with the Health IT Module’s “authorization server.”
  4. Secure connection.
    1. Establish a secure and trusted connection with an application that requests data for patient and user scopes in accordance with the implementation specifications adopted in § 170.215(a)(2) and (3).
    2. Establish a secure and trusted connection with an application that requests data for system scopes in accordance with the implementation specification adopted in § 170.215(a)(4).
  5. Authentication and authorization.
    1. Authentication and authorization for patient and user scopes.
      1. First time connections.
        1. Authentication and authorization must occur during the process of granting access to patient data in accordance with the implementation specification adopted in § 170.215(a)(3) and standard adopted in § 170.215(b).
        2.  A Health IT Module’s authorization server must issue a refresh token valid for a period of no less than three months to applications capable of storing a client secret. 
        3. A Health IT Module’s authorization server must issue a refresh token for a period of no less than three months to native applications capable of securing a refresh token. 
      2. Subsequent connections.
        1. Access must be granted to patient data in accordance with the implementation specification adopted in§ 170.215(a)(3) without requiring re-authorization and re-authentication when a valid refresh token is supplied by the application.
        2. A Health IT Module’s authorization server must issue a refresh token valid for a new period of no less than three months to applications capable of storing a client secret. 
    2. Authentication and authorization for system scopes. Authentication and authorization must occur during the process of granting an application access to patient data in accordance with the “SMART Backend Services: Authorization Guide” section of the implementation specification adopted in § 170.215(a)(4) and the application must be issued a valid access token.
  6. Patient authorization revocation. A Health IT Module’s authorization server must be able to revoke an authorized application’s access at a patient’s direction.
  7. Token introspection. A Health IT Module’s authorization server must be able to receive and validate tokens it has issued.
  8. Documentation.
    1. The API(s) must include complete accompanying documentation that contains, at a minimum:
      1. API syntax, function names, required and optional parameters supported and their data types, return variables and their types/structures, exceptions and exception handling methods and their returns.
      2.  The software components and configurations that would be necessary for an application to implement in order to be able to successfully interact with the API and process its response(s).
      3. All applicable technical requirements and attributes necessary for an application to be registered with a Health IT Module’s authorization server.
    2. The documentation used to meet paragraph (g)(10)(viii)(A) of this section must be available via a publicly accessible hyperlink without any preconditions or additional steps.
Standard(s) Referenced

Paragraph (g)(10)(i)(A)

§ 170.215(a)(1) Health Level 7 (HL7®) Version 4.0.1 Fast Healthcare Interoperability Resources Specification (FHIR®) Release 4, October 30, 2019

§ 170.215(a)(2) FHIR® US Core Implementation Guide STU V3.1.1

§ 170.213 United States Core Data for Interoperability (USCDI)

Paragraph (g)(10)(i)(B)

§ 170.215(a)(1) HL7® Version 4.0.1 FHIR® Release 4, October 30, 2019

§ 170.215(a)(2) FHIR® US Core Implementation Guide STU V3.1.1

§ 170.213 USCDI

§ 170.215(a)(4) HL7®  FHIR Bulk Data Access (Flat FHIR) (V1.0.0:STU 1)

Paragraph (g)(10)(ii)(A)

§ 170.215(a)(2) FHIR® US Core Implementation Guide STU V3.1.1

Paragraph (g)(10)(ii)(B)

§ 170.215(a)(4) HL7® FHIR® Bulk Data Access (Flat FHIR®) (V1.0.0:STU 1)

Paragraph (g)(10)(iii)

None

Paragraph (g)(10)(iv)(A)

§ 170.215(a)(2) FHIR® US Core Implementation Guide STU V3.1.1

§ 170.215(a)(3) HL7® SMART Application Launch Framework Implementation Guide Release 1.0.0

Paragraph (g)(10)(iv)(B)

§ 170.215(a)(4) HL7® FHIR Bulk Data Access (Flat FHIR) (V1.0.0:STU 1)

Paragraph (g)(10)(v)(A)(1)

§ 170.215(a)(3) HL7® SMART Application Launch Framework Implementation Guide Release 1.0.0

§ 170.215(b) OpenID Connect Core 1.0 incorporating errata set 1

Paragraph (g)(10)(v)(A)(2)

§ 170.215(a)(3) HL7® SMART Application Launch Framework Implementation Guide Release 1.0.0

Paragraph (g)(10)(v)(B)

§ 170.215(a)(4) HL7® FHIR Bulk Data Access (Flat FHIR) (V1.0.0:STU 1)

Paragraph (g)(10)(vi)

None

Paragraph (g)(10)(vii)

None

Paragraph (g)(10)(viii)

None

Testing
Testing Tool

Inferno

Test Tool Documentation

Inferno User’s Guide

Criterion Subparagraph Test Data

Certification Companion Guide: Standardized API for patient and population services

This Certification Companion Guide (CCG) is an informative document designed to assist with health IT product development. The CCG is not a substitute for the 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program Final Rule (ONC Cures Act Final Rule). It includes extracts of preamble and regulation text from the ONC Cures Act Final Rule with accompanying clarifying interpretations. To access the full context of regulatory intent please consult the ONC Cures Act Final Rule or other included regulatory reference. This CCG is for public use and should not be sold or redistributed.

 

 

Certification Requirements

Privacy and Security: This certification criterion was adopted in § 170.315(g)(10). As a result, an ONC-ACB must ensure that a product presented for certification to this criterion includes the privacy and security criteria (adopted in § 170.315(d)) within the overall scope of the certificate issued to the product.

  • The privacy and security criteria (adopted in § 170.315(d)) do not need to be explicitly tested with this specific criterion unless it is the only criterion for which certification is requested.
  • As a general rule, a product presented for certification only needs to be tested once to each applicable privacy and security criterion (adopted in § 170.315(d)) so long as the health IT developer attests that such privacy and security capabilities apply to the full scope of capabilities included in the requested certification.

Design and Performance: The following design and performance certification criteria (adopted in § 170.315(g)) must also be certified in order for the product to be certified.

  • When a single quality management system (QMS) is used, the QMS only needs to be identified once. Otherwise, when different QMS are used, each QMS needs to be separately identified for every capability to which it was applied.
  • When a single accessibility-centered design standard is used, the standard only needs to be identified once. Otherwise, the accessibility-centered design standards need to be identified for every capability to which they were applied; or, alternatively the developer must state that no accessibility-centered design was used.
Table for Privacy and Security
Technical Explanations and Clarifications

 

Applies to Entire Criterion

Clarifications:

  • On December 31, 2022, the API certification criterion in § 170.315(g)(10) replaces the “application access—data category request” certification criterion (§ 170.315(g)(8)).
  • Health IT Modules are not required to support patient-facing API-enabled “read” services for multiple patients for the purposes of this certification criterion.
  • The clinical note text included in any of the notes described in the “Clinical Notes Guidance” section of the US Core IG adopted in § 170.215(a)(2) must be represented in a “plain text” form, and it would be unacceptable for the note text to be converted to another file or format (e.g., .docx, PDF) when it is provided as part of an API response. The intent of this policy is to prohibit Health IT Modules from converting clinical notes from a “machine readable” format to a non-“machine readable” format (e.g., PDF). Clinical note text that originates from outside Health IT Modules should be exchanged using its original format. Additionally, “plain text” does not necessarily mean the FHIR “contentType” “text/plain.”
  • The US Core IG Profile “StructureDefinition-us-core-patient” element “name.suffix” is required for testing and certification in the ONC Certification Program to meet the USCDI requirement to support the “Patient Demographics” Data Class: “Suffix” Data Element.
  • Either the US Core IG Profile “StructureDefinition-us-core-patient” element “name.period” or “name.use” is required for testing and certification in the ONC Certification Program to meet the USCDI requirement to support the “Patient Demographics” Data Class: “Previous Name” Data Element.
  • A Health IT Module must support at least one Choice or Reference for US Core IG “must support” elements with multiple Choices or References, respectively. 
  • A Health IT Module must be conformant to the US Core IG for all Choices and References included in its standardized API, and cannot misrepresent Choices via the standardized API (e.g. a Health IT Module cannot transform “integer” values to “string” values). 
  • A health IT developer must document which US Core IG Choices and References are supported by their Health IT Module via public technical documentation to meet the requirements at § 170.315(g)(10)(viii) and the transparency conditions at § 170.404(a)(2). 
  • Information originating from the (g)(10)-certified Health IT Module must conform to the requirements included in the criterion, but legacy information and information from outside systems is not required to be mapped to the United States Core Data for Interoperability (USCDI) “Applicable Standards” and the US Core IG terminologies and value sets. However, health IT developers are encouraged to exceed the minimum requirements described in § 170.315(g)(10) to support the mapping of legacy information to the terminologies and value sets included in the USCDI and US Core IG where possible.
  • In order to mitigate potential interoperability errors and inconsistent implementation of the FHIR Bulk Data Access (Flat FHIR) (v1.0.0: STU 1) standard, ONC assesses, approves, and incorporates corrections (errata) as part of required certification and testing to this criterion. Compliance with the following errata is necessary because the errata implements technical corrections and clarifications to the FHIR Bulk Data Access (Flat FHIR) (v1.0.0: STU 1) standard. There is a 90-day delay from the time the CCG has been updated with the ONC-approved errata to when compliance with the errata will be required to pass testing. Similarly, there will be an 18-month delay before a finding of an erratum’s absence in a Certified Health IT Module during surveillance would constitute a non-conformity under the Program.

 

Paragraph (10)(i)(A)

Technical outcome – Respond to requests for a single patient’s data according to the standard adopted in § 170.215(a)(1) and implementation specification adopted in § 170.215(a)(2), including the mandatory capabilities described in “US Core Server CapabilityStatement,” for each of the data included in the standard adopted in § 170.213. All data elements indicated as “mandatory” and “must support” by the standards and implementation specifications must be supported.

Clarifications:

  • All data elements and operations indicated as “mandatory” and “must support” by the standards and implementation specifications must be supported and are in-scope for testing.
  • For “Encounter,” “Organization,” and “Practitioner,” US Core IG profiles, only the “read” type interaction must be supported and will be included in testing and certification. For the “Location” FHIR resource, Health IT Modules must either demonstrate support for the “read” type interaction or demonstrate support for providing the “Location” and FHIR resource references as a contained resource. The “search” type interactions for these profiles and resource are not in scope for testing and certification. Health IT Modules must support these US Core IG profiles / FHIR resource because they are included as “must support” data elements in US Core IG profiles required by the USCDI.
  • Health IT Modules must support provenance according to the “Basic Provenance Guidance” section of the US Core IG. 

 

Paragraph (10)(i)(B)

Technical outcome – Respond to requests for multiple patients’ data as a group according to the standard adopted in § 170.215(a)(1), and implementation specifications adopted in § 170.215(a)(2) and (4), for each of the data included in the standard adopted in § 170.213. All data elements indicated as “mandatory” and “must support” by the standards and implementation specifications must be supported.

Clarifications:

  • Health IT Modules may support scopes using either “system/*.read” or a list of “system/[resource].read,” where [resource] is the FHIR resource name, to enable the export of multiple patients’ data as a group.
  • During testing and certification for multiple patient services, Health IT Modules must demonstrate support for “Encounter,” “Organization,” and “Practitioner” US Core IG FHIR Profiles. 
  • Health IT Modules must demonstrate support for “Location” FHIR resources by providing this resource as part of the multiple patient services response, or by including it as a contained resource as part of the multiple patient services response.
  • Health IT Modules must support provenance according to the “Basic Provenance Guidance” section of the US Core IG. 

 

Paragraph (10)(ii)(A)

Technical outcome – Respond to search requests for a single patient’s data consistent with the search criteria included in the implementation specification adopted in § 170.215(a)(2), specifically the mandatory capabilities described in “US Core Server CapabilityStatement”.

Clarifications:

  • All data elements indicated as “mandatory” and “must support” by the standards and implementation specifications must be supported and are in scope for testing.

 

Paragraph (10)(ii)(B)

Technical outcome – Respond to search requests for multiple patients' data consistent with the search criteria included in the implementation specification adopted in § 170.215(a)(4).

Clarifications:

  • No additional clarifications.

 

Paragraph (10)(iii)

Technical outcome – Enable an application to register with the Health IT Module’s “authorization server.”

Clarifications:

  • Health IT presented for testing and certification must support app registration regardless of the scope of patient search utilized by the application (e.g. single or multiple).
  • This certification criterion requires a health IT developer, as finalized in the Condition of Certification requirements, to demonstrate its registration process, but does not require conformance to a standard.
  • The third-party application registration process that a health IT developer must meet under this criterion is not a form of review or “vetting” for purposes of this criterion.
  • For demonstration of the SMART IG "Standalone Launch" steps, health IT developers are permitted to scope US Core IG resources that do not exist in either the standard adopted at § 170.213 (USCDI version 1) or the "Compartment Patient" section of the standard adopted at § 170.215(a)(1) (HL7 FHIR Release 4.0.1) as either patient/[Resource] or user/[Resource]. These resources include “Encounter,” “Device,” “Location,” “Medication,” “Organization,” “Practitioner,” and “PractitionerRole.” Health IT developers must document their supported scopes according to the technical documentation requirements at § 170.315(g)(10)(viii)(A) and § 170.404(a)(2).

 

Paragraph (10)(iv)(A)

Technical outcome – Establish a secure and trusted connection with an application that requests data for patient and user scopes in accordance with the implementation specifications adopted in § 170.215(a)(2) and (3).

Clarifications:

  • Connections below TLS version 1.2 must be denied.

 

Paragraph (10)(iv)(B)

Technical outcome – Establish a secure and trusted connection with an application that requests data for system scopes in accordance with the implementation specification adopted in § 170.215(a)(4).

Clarifications:

  • Connections below TLS version 1.2 must be denied.

 

Paragraph (10)(v)(A)(1)

Technical outcome – For first time connections, authentication and authorization must occur during the process of granting access to patient data in accordance with the implementation specification adopted in § 170.215(a)(3) and standard adopted in § 170.215(b). Additionally, a Health IT Module's authorization server must issue a refresh token valid for a period of no less than three months to applications capable of storing a client secret. Finally, a Health IT Module's authorization server must issue a refresh token for a period of no less than three months to native applications capable of securing a refresh token.

Clarifications:

  • Health IT Modules will be explicitly tested for US Core IG operations using authentication and authorization tokens acquired via the process described in the implementation specification adopted in § 170.215(a)(3).
  • Only the relevant parts of the OpenID Connect Core 1.0 including errata set 1 adopted in § 170.215(b) that are also included in the implementation specification adopted in § 170.215(a)(3) will be in-scope for testing and certification.
  • The “SMART on FHIR Core Capabilities” in § 170.215(a)(3) are explicitly required for testing and certification because these capabilities are otherwise indicated as optional in the implementation specification. 
  • As part of the “permission-patient” “SMART on FHIR Core Capability” in § 170.215(a)(3), Health IT Modules presented for testing and certification must include the ability for patients to authorize an application to receive their electronic health information (EHI) based on FHIR resource-level scopes. Specifically, this means patients would need to have the ability to authorize access to their EHI at the individual FHIR resource level, from one specific FHIR resource (e.g., “Immunization”) up to all FHIR resources necessary to implement the standard adopted in § 170.213 and implementation specification adopted in § 170.215(a)(2).
  • Although Health IT Modules presented for testing and certification must include the ability for patients to authorize an application to receive their EHI based on FHIR resource-level scopes, Health IT Modules are not prohibited from presenting authorization scopes in a more user-friendly format (e.g. grouping resources under categories, renaming the scopes for easier comprehension by the end-user, using more granular scopes), as long as the ability for patients to authorize applications based on resource-level scopes is available, if requested by the patient.
  • Health IT Modules will only be tested for the "Patient Access for Standalone Apps" and "Clinician Access for EHR Launch" scenarios described in the standard adopted at § 170.215(a)(3).
  • Since "Encounter" is not currently a USCDI Data Class or Data Element, we will not test Health IT Modules for support for "context-ehr-encounter" or "context-standalone-encounter" SMART on FHIR Core Capabilities described in the standard adopted at § 170.215(a)(3). 
  • Implementers of § 170.315(g)(10)-certified Health IT Modules should be mindful of the information blocking provisions.
  • As part of the requirements at § 170.315(g)(10)(v)(A)(1)(iii), health IT developers must publish the method(s) by which their Health IT Modules support the secure issuance of an initial refresh token to native applications according to the technical documentation requirements at § 170.315(g)(10)(viii) and transparency conditions at § 170.404(a)(2). 
  • Application developer affirmations to health IT developers regarding the ability of their applications to secure a refresh token, a client secret, or both, must be treated in a good faith manner consistent with the provisions established in the openness and pro-competitive conditions at § 170.404(a)(4). 
  • Health IT developers can determine the method(s) they use to support interactions with native applications and clarify that health IT developers are not required to support all methods third-party application developers seek to use. 
  • ONC recognizes there may be some ambiguity in the HL7® SMART Application Launch Framework Implementation Guide Release 1.0.0 standard (incorporated by reference at § 170.215(a)(3)) in its guidance for supporting native applications, in particular, in providing references to best practices, strategies, and examples such as “OAuth 2.0 for Native Apps: 8.5. Client Authentication”, “OAuth 2.0 Dynamic Client Registration Protocol”, and “universal redirect_uris” without a standardized solution. ONC provides flexibility for how the health IT developer implements the HL7® SMART Application Launch Framework implementation specification, as long as the  Certified Health IT Module supports for first time connections the issuance of three-month refresh tokens to native applications capable of securing a refresh token.
  • The paragraph at § 170.215(a)(3) requires health IT developers to support the SMART Application Launch Framework Implementation Guide (SMART IG) “SMART [on FHIR] Core Capabilities,” including “permission-offline,” which grants support for refresh tokens. The ONC Cures Act Final Rule states, “…Importantly, the implementation specification adopted in § 170.215(a)(3) requires that patients have the ability to explicitly enable the “offline_access” scope during authorization. If the “offline_access” scope is not enabled by patients, patients will be required to re-authenticate and re-authorize an application's access to their EHI after the application's access token expires…” (85 FR 25747). However, the ability of a patient to explicitly enable the “offline_access” scope during authorization is not described in the implementation specification. ONC clarifies that health IT developers must support the ability for patients to be provided information about an application’s request for persistent access prior to the patient sharing their health information, in order to enable patients to make an informed decision during authorization. Examples include, but are not limited to a health IT developer allowing patients to granularly grant “offline-access” scopes during authorization or clearly providing this information as a notice during authorization. The critical requirement is that patients are empowered to deny authorization for offline access.

 

Paragraph (10)(v)(A)(2)

Technical outcome – For subsequent connections, access must be granted to patient data in accordance with the implementation specification adopted in § 170.215(a)(3) without requiring re-authorization and re-authentication when a valid refresh token is supplied by the application. Additionally, a Health IT Module's authorization server must issue a refresh token valid for a new period of no less than three months to applications capable of storing a client secret.

Clarifications:

  • No additional clarifications.

 

Paragraph (10)(v)(B)

Technical outcome – Authentication and authorization must occur during the process of granting an application access to patient data in accordance with the “SMART Backend Services: Authorization Guide” section of the implementation specification adopted in § 170.215(a)(4) and the application must be issued a valid access token.

Clarifications:

  • No additional clarifications.

 

Paragraph (10)(vi)

Technical outcome – A Health IT Module’s authorization server must be able to revoke an authorized application’s access at a patient’s direction.

Clarifications:

  • This is a functional requirement to allow health IT developers the ability to implement it in a way that best suits their existing infrastructure and allows for innovative models for authorization revocation to develop.
  • Patients are expected to have the ability to revoke an authorized application’s access to their EHI at any time.

 

Paragraph (10)(vii)

Technical outcome – A Health IT Module’s authorization server must be able to receive and validate tokens it has issued.

Clarifications:

  • Although ONC does not specify a standard for token introspection, ONC encourages industry to coalesce around using a common standard, like OAuth 2.0 Token Introspection (RFC 7662).

 

Paragraph (10)(viii)(A)

Technical outcome – The API(s) must include complete accompanying documentation that contains, at a minimum: (1) API syntax, function names, required and optional parameters supported and their data types, return variables and their types/structures, exceptions and exception handling methods and their returns; (2) The software components and configurations that would be necessary for an application to implement in order to be able to successfully interact with the API and process its response(s); and (3) All applicable technical requirements and attributes necessary for an application to be registered with a Health IT Module’s authorization server.

Clarifications:

  • Health IT developers are not required to re-publish documentation from the adopted standards and implementation specifications. However, health IT developers must publish documentation that goes beyond the adopted standards and implementation specifications.
  • Health IT developers are expected to disclose any additional data their § 170.315(g)(10)-certified Health IT Module supports in the context of the adopted standards and implementation specifications.

 

Paragraph (10)(viii)(B)

Technical outcome – The documentation used to meet paragraph (g)(10)(viii)(A) of this section must be available via a publicly accessible hyperlink without any preconditions or additional steps.

Clarifications:

  • No additional clarifications.

Content last reviewed on August 2, 2021
Was this page helpful?