FHIR Client App Onboarding Process

1. Develop your client

Use the relevant version of Interoperability Engine API documentation and terms for third-party client application developers from the HealthToGo App Studio site or the vendor's CHPL listing. This is the documentation needed to build a client application that leverages health data made available as FHIR resources by data holders using EMR Direct.

Consider as part of development which credentials the app will use--user-facing authorization code flow with username/password (for example, patient portal credentials used by patients) or client credentials (when an end user is not present to enter credentials or an enterprise/client-level authorization is appropriate).

Follow best practices for making users aware of the app's security and privacy practices. If the app's use goes beyond individual access to a patient's own data, enter into any necessary agreements with the data holder prior to requesting data.

2. Register your client

Client applications intended for use with a patient's own credentials as part of SMART App Launch framework can register dynamically according to the API documentation and referenced OAuth Dynamic Client Registration standard to receive a client ID instantaneously.

A user-facing version of the registration endpoint is also available via HTTPS and offers client IDs that are also valid for 30 days.

For client applications that require longer-lasting client IDs for use in authorization code grant or wish to use a UDAP certificate with HL7 UDAP FAST Security for Scalable Registration, Authentication, and Authorization or other UDAP workflows (either grant type), register for a client ID or UDAP certificate at:

https://www.emrdirect.com/subscribe-developer

For a sandbox client ID to test the client app's use of authorization code flow against an EMR Direct R4 sandbox FHIR endpoint, use this self-service Registration Page. The corresponding FHIR R4 base URL is: https://sandbox-r4.interopengine.com/fhir/r4/stage. User credentials for a test patient will be shared via email after Developer Registration has been completed.

Apps intending to make SMART Bulk Data requests can register by reaching out directly to the provider organization.

Please see the related note on Requirements for Client Registration for additional details.

In any of these transactions, the data holder must also authorize the app’s access to health data.

3. Make FHIR data requests

If the app was dynamically or manually registered and obtained a client ID, proceed with those credentials to authenticate the app, plus the user's authentication in the case of authorization code flow, then if authorized, access FHIR resources according to the SMART App Launch framework and/or SMART Bulk Data, as appropriate.

If the app obtained a UDAP certificate, use the certificate to register and authenticate according to the applicable standard and any additional community-related requirements.

If the endpoint you wish to query is not found in our FHIR Endpoint Directory, contact the data holder directly or check in NPPES or another trusted directory service for the FHIR endpoint. The data holder is also the best point of contact for additional questions about credentials needed to access their system or the data holder's privacy policy and terms of use.

Refer to the FHIR CLIENT APP DEVELOPERS section of the App Studio site for additional knowledge base resources and community support forums for our HealthToGo FHIR services and UDAP.

Did this article answer your question? If not, please contact us.