App Onboarding Process

1. Develop your client

Use the relevant version of Interoperability Engine API documentation and terms for third-party client application developers from the HealthToGo App Studio site. This is the documentation needed to build a client application that leverages health data made available by Data Holders with EMR Direct Interoperability Engine.

Consider whether the app will use authorization code flow with a username/password assigned by the Data Holder (for example, patient portal credentials used by patients) or client credentials flow (when an end user is not present to enter credentials or an enterprise/client-level authorization is appropriate). If the app's use case requires client credentials and the Data Holder will authorize access, plan to either reach out to the data holder for client credentials or implement UDAP Dynamic Client Registration and UDAP JWT-based Authentication and obtain a trusted certificate.

Be sure to follow best practices for making users aware of the app's security and data management policies. If the app's use goes beyond individual access to a patient's own data, enter into any necessary agreements with the Data Holder prior to requesting data.

2. Register your client with EMR Direct

Client applications intended for use with a patient's own credentials as part of SMART Authorization Code Flow have the option to register dynamically according to Interoperability Engine API documentation and the referenced OAuth Dynamic Client Registration standard. For client applications that do not support Dynamic Client Registration or wish to use UDAP Dynamic Client Registration and/or UDAP JWT-Based Authentication B2B or B2C, manual registration for a UDAP certificate is available when registering as an EMR Direct Developer (select the Client Registration... option). Contact the healthcare organization directly for one-off client credentials access to health data managed by that organization.

Please see the related note on Requirements for Client Registration for additional information.

3. Make FHIR data requests

If the app was dynamically or manually registered and received a client ID and secret, proceed with those credentials, and user credentials if using authorization code flow, to access FHIR resources according to the SMART App Launch framework.

If the app was manually registered and obtained a UDAP certificate from EMR Direct, use UDAP JWT-Based Client Authentication to submit a signed authentication token and obtain an access token (steps 3-7 of the UDAP JWT-Based Client Authentication profile), then proceed with authorization code or client credentials flow.

If the endpoint you wish to query is not found in our FHIR Endpoint Directory, contact the Data Holder directly or check in NPPES or another directory service for their FHIR resource endpoint; the Data Holder or health system is also the best point of contact for additional questions about credentials needed to access the system or the Data Holder's privacy policy and terms of use.

Did this article answer your question? If not, please contact us.