App Onboarding Process

1. Develop your client

Use the relevant version of Interoperability Engine API documentation and terms for third-party client application developers from the HealthToGo App Studio site. This is the documentation needed to build a client application that leverages health data made available by Data Holders with EMR Direct Interoperability Engine.

Consider whether the app will use authorization code flow with a username/password assigned by the Data Holder (for example, patient portal credentials used by patients) or client credentials flow (when an end user is not present to enter credentials or an enterprise/client-level authorization is appropriate). If the app's use case requires client credentials and the Data Holder supports access by your app using client credentials, implement UDAP JWT-based Authentication using a trusted certificate.

Use of client credentials grant requires an out of band registration process to obtain the certificate (see #2 below). UDAP JWT-based Authentication can also be used with authorization code flow in UDAP workflows.

Be sure to follow best practices for making users aware of the app's security and data management policies. If the app's use goes beyond individual access to a patient's own data, enter into any necessary agreements with the Data Holder prior to requesting data.

2. Register your client with EMR Direct

Client applications intended for use with a patient's own credentials as part of SMART Authorization Code Flow have the option to register dynamically according to Interoperability Engine API documentation and the referenced OAuth Dynamic Client Registration standard. For client applications that do not support Dynamic Client Registration or wish to use client credentials, manual registration and UDAP certificates are available by
registering as an EMR Direct Developer.

Please see the related note on Requirements for Client Registration for additional information.

3. Make FHIR data requests

If the app was dynamically or manually registered and received a client ID and secret, proceed with those credentials, and user credentials if using authorization code flow, to access FHIR resources according to the SMART App Launch framework.

If the app was manually registered and obtained a UDAP certificate from EMR Direct, use UDAP JWT-Based Client Authentication to submit a signed authentication token and obtain an access token (steps 3-7 of the UDAP JWT-Based Client Authentication profile), then proceed with authorization code or client credentials flow.

If the endpoint you wish to query is not found in our FHIR Endpoint Directory (coming soon!), contact the Data Holder directly or check in NPPES for their FHIR resource endpoint; the Data Holder or health system is also the best point of contact for additional questions about credentials needed to access the system or the Data Holder's privacy policy and terms of use.

Did this article answer your question? If not, please contact us.