Current through September 30, 2024
Section 170.215 - Application Programming Interface StandardsThe Secretary adopts the following standards and associated implementation specifications as the available standards for application programming interfaces (API):
(a)API base standard. The following are applicable for purposes of standards-based APIs. (1)Standard. HL7® Fast Healthcare Interoperability Resources (FHIR®) Release 4.0.1 (incorporated by reference, see § 170.299 ).(b)API constraints and profiles. The following are applicable for purposes of constraining and profiling data standards.(1)United States Core Data Implementation Guides - (i)Implementation specification. HL7® FHIR® US Core Implementation Guide STU 3.1.1 (incorporated by reference in § 170.299 ). The adoption of this standard expires on January 1, 2026.(ii)Implementation Specification. HL7® FHIR® US Core Implementation Guide STU 6.1.0 (incorporated by reference, see § 170.299 ).(c)Application access and launch. The following are applicable for purposes of enabling client applications to access and integrate with data systems. (1)Implementation specification. HL7® SMART Application Launch Framework Implementation Guide Release 1.0.0, including mandatory support for the "SMART Core Capabilities" (incorporated by reference, see § 170.299 ). The adoption of this standard expires on January 1, 2026.(2)Implementation specification. HL7® SMART App Launch Implementation Guide Release 2.0.0, including mandatory support for the "Capability Sets" of "Patient Access for Standalone Apps" and "Clinician Access for EHR Launch"; all "Capabilities" as defined in "8.1.2 Capabilities," excepting the "permission-online" capability; "Token Introspection" as defined in "7 Token Introspection" (incorporated by reference, see § 170.299 ).(d)Bulk export and data transfer standards. The following are applicable for purposes of enabling access to large volumes of information on a group of individuals. (1)Implementation specification. FHIR® Bulk Data Access (Flat FHIR®) (v1.0.0: STU 1), including mandatory support for the "group-export" "OperationDefinition" (incorporated by reference, see § 170.299 ).(e)API authentication, security, and privacy. The following are applicable for purposes of authorizing and authenticating client applications. (1)Standard. OpenID Connect Core 1.0, incorporating errata set 1 (incorporated by reference, see § 170.299 ).85 FR 25941, May 1, 2020, as amended at 85 FR 70082, Nov. 4, 2020 85 FR 25941, 6/30/2020; 85 FR 70082, 12/4/2020; 89 FR 1428, 2/8/2024; 89 FR 8548, 3/11/2024