45 C.F.R. § 170.215

Current through November 30, 2024
Section 170.215 - Application Programming Interface Standards

The Secretary adopts the following standards and associated implementation specifications as the available standards for application programming interfaces (API):

(a)API base standard. The following are applicable for purposes of standards-based APIs.
(1)Standard. HL7® Fast Healthcare Interoperability Resources (FHIR®) Release 4.0.1 (incorporated by reference, see § 170.299 ).
(2) [Reserved]
(b)API constraints and profiles. The following are applicable for purposes of constraining and profiling data standards.
(1)United States Core Data Implementation Guides -
(i)Implementation specification. HL7® FHIR® US Core Implementation Guide STU 3.1.1 (incorporated by reference in § 170.299 ). The adoption of this standard expires on January 1, 2026.
(ii)Implementation Specification. HL7® FHIR® US Core Implementation Guide STU 6.1.0 (incorporated by reference, see § 170.299 ).
(2) [Reserved]
(c)Application access and launch. The following are applicable for purposes of enabling client applications to access and integrate with data systems.
(1)Implementation specification. HL7® SMART Application Launch Framework Implementation Guide Release 1.0.0, including mandatory support for the "SMART Core Capabilities" (incorporated by reference, see § 170.299 ). The adoption of this standard expires on January 1, 2026.
(2)Implementation specification. HL7® SMART App Launch Implementation Guide Release 2.0.0, including mandatory support for the "Capability Sets" of "Patient Access for Standalone Apps" and "Clinician Access for EHR Launch"; all "Capabilities" as defined in "8.1.2 Capabilities," excepting the "permission-online" capability; "Token Introspection" as defined in "7 Token Introspection" (incorporated by reference, see § 170.299 ).
(d)Bulk export and data transfer standards. The following are applicable for purposes of enabling access to large volumes of information on a group of individuals.
(1)Implementation specification. FHIR® Bulk Data Access (Flat FHIR®) (v1.0.0: STU 1), including mandatory support for the "group-export" "OperationDefinition" (incorporated by reference, see § 170.299 ).
(2) [Reserved]
(e)API authentication, security, and privacy. The following are applicable for purposes of authorizing and authenticating client applications.
(1)Standard. OpenID Connect Core 1.0, incorporating errata set 1 (incorporated by reference, see § 170.299 ).
(2) [Reserved]

45 C.F.R. §170.215

85 FR 25941 , May 1, 2020, as amended at 85 FR 70082 , Nov. 4, 2020
85 FR 25941 , 6/30/2020; 85 FR 70082 , 12/4/2020; 89 FR 1428 , 2/8/2024; 89 FR 8548 , 3/11/2024