45 C.F.R. § 170.404

Current through November 30, 2024
Section 170.404 - Application programming interfaces

The following Condition and Maintenance of Certification requirements apply to developers of Health IT Modules certified to any of the certification criteria adopted in § 170.315(g)(7) through (10) .

(a)Condition of certification requirements -
(1)General. A Certified API Developer must publish APIs and allow electronic health information from such technology to be accessed, exchanged, and used without special effort through the use of APIs or successor technology or standards, as provided for under applicable law, including providing access to all data elements of a patient's electronic health record to the extent permissible under applicable privacy laws.
(2)Transparency conditions -
(i)Complete business and technical documentation. A Certified API Developer must publish complete business and technical documentation, including the documentation described in paragraph (a)(2)(ii) of this section, via a publicly accessible hyperlink that allows any person to directly access the information without any preconditions or additional steps.
(ii)Terms and conditions -
(A)Material information. A Certified API Developer must publish all terms and conditions for its certified API technology, including any fees, restrictions, limitations, obligations, registration process requirements, or other similar requirements that would be:
(1) Needed to develop software applications to interact with the certified API technology;
(2) Needed to distribute, deploy, and enable the use of software applications in production environments that use the certified API technology;
(3) Needed to use software applications, including to access, exchange, and use electronic health information by means of the certified API technology;
(4) Needed to use any electronic health information obtained by means of the certified API technology;
(5) Used to verify the authenticity of API Users; and
(6) Used to register software applications.
(B)API fees. Any and all fees charged by a Certified API Developer for the use of its certified API technology must be described in detailed, plain language. The description of the fees must include all material information, including but not limited to:
(1) The persons or classes of persons to whom the fee applies;
(2) The circumstances in which the fee applies; and
(3) The amount of the fee, which for variable fees must include the specific variable(s) and methodology(ies) that will be used to calculate the fee.
(3)Fees conditions -
(i)General conditions -
(A)All fees. All fees related to certified API technology not otherwise permitted by this section are prohibited from being imposed by a Certified API Developer. The permitted fees in paragraphs (a)(3)(ii) and (iv) of this section may include fees that result in a reasonable profit margin in accordance with § 171.302 .
(B)Permitted fees requirements. For all permitted fees, a Certified API Developer must:
(1) Ensure that such fees are based on objective and verifiable criteria that are uniformly applied to all similarly situated API Information Sources and API Users;
(2) Ensure that such fees imposed on API Information Sources are reasonably related to the Certified API Developer's costs to supply certified API technology to, and if applicable, support certified API technology for, API Information Sources;
(3) Ensure that such fees to supply and, if applicable, support certified API technology are reasonably allocated among all similarly situated API Information Sources; and
(4) Ensure that such fees are not based on whether API Information Sources or API Users are competitors, potential competitors, or will be using the certified API technology in a way that facilitates competition with the Certified API Developer.
(C)Prohibited fees. A Certified API Developer is prohibited from charging fees for the following:
(1) Costs associated with intangible assets other than actual development or acquisition costs of such assets;
(2) Opportunity costs unrelated to the access, exchange, or use of electronic health information; and
(3) The permitted fees in this section cannot include any costs that led to the creation of intellectual property if the actor charged a royalty for that intellectual property pursuant to § 171.303 and that royalty included the development costs for the creation of the intellectual property.
(D)Record-keeping requirements. A Certified API Developer must keep for inspection detailed records of any fees charged with respect to the certified API technology, the methodology(ies) used to calculate such fees, and the specific costs to which such fees are attributed.
(ii)Permitted fee-development, deployment, and upgrades. A Certified API Developer is permitted to charge fees to an API Information Source to recover the costs reasonably incurred by the Certified API Developer to develop, deploy, and upgrade certified API technology.
(iii)Permitted fee-recovering API usage costs. A Certified API Developer is permitted to charge fees to an API Information Source related to the use of certified API technology. The fees must be limited to the recovery of incremental costs reasonably incurred by the Certified API Developer when it hosts certified API technology on behalf of the API Information Source.
(iv)Permitted fee-value-added services. A Certified API Developer is permitted to charge fees to an API User for value-added services related to certified API technology, so long as such services are not necessary to efficiently and effectively develop and deploy production-ready software that interacts with certified API technology.
(4)Openness and pro-competitive conditions; general condition. A Certified API Developer must grant an API Information Source the independent ability to permit an API User to interact with the certified API technology deployed by the API Information Source.
(i)Non-discrimination.
(A) A Certified API Developer must provide certified API technology to an API Information Source on terms that are no less favorable than it provides to itself and its own customers, suppliers, partners, and other persons with whom it has a business relationship.
(B) The terms on which a Certified API Developer provides certified API technology must be based on objective and verifiable criteria that are uniformly applied to all substantially similar or similarly situated classes of persons and requests.
(C) A Certified API Developer must not offer different terms or services based on:
(1) Whether a competitive relationship exists or would be created;
(2) The revenue or other value that another party may receive from using the API technology.
(ii)Rights to access and use certified API technology -
(A)Rights that must be granted. A Certified API Developer must have and, upon request, must grant to API Information Sources and API Users all rights that may be reasonably necessary to:
(1) Access and use the Certified API Developer's certified API technology in a production environment;
(2) Develop products and services that are designed to interact with the Certified API Developer's certified API technology; and
(3) Market, offer, and distribute products and services associated with the Certified API Developer's certified API technology.
(B)Prohibited conduct. A Certified API Developer is prohibited from conditioning the receipt of the rights described in paragraph (a)(4)(ii)(A) of this section on:
(1) Receiving a fee, including but not limited to a license fee, royalty, or revenue-sharing arrangement;
(2) Agreeing to not compete with the Certified API Developer in any product, service, or market;
(3) Agreeing to deal exclusively with the Certified API Developer in any product, service, or market;
(4) Obtaining additional licenses, products, or services that are not related to or can be unbundled from the certified API technology;
(5) Licensing, granting, assigning, or transferring any intellectual property to the Certified API Developer;
(6) Meeting any Certified API Developer-specific testing or certification requirements; and.
(7) Providing the Certified API Developer or its technology with reciprocal access to application data.
(iii)Service and support obligations. A Certified API Developer must provide all support and other services reasonably necessary to enable the effective development, deployment, and use of certified API technology by API Information Sources and API Users in production environments.
(A)Changes and updates to certified API technology. A Certified API Developer must make reasonable efforts to maintain the compatibility of its certified API technology and to otherwise avoid disrupting the use of certified API technology in production environments.
(B)Changes to terms and conditions. Except as exigent circumstances require, prior to making changes to its certified API technology or to the terms and conditions thereof, a Certified API Developer must provide notice and a reasonable opportunity for API Information Sources and API Users to update their applications to preserve compatibility with certified API technology and to comply with applicable terms and conditions.
(b)Maintenance of certification requirements -
(1)Authenticity verification and registration for production use. The following apply to a Certified API Developer with a Health IT Module certified to the certification criterion adopted in § 170.315(g)(10) :
(i)Authenticity verification. A Certified API Developer is permitted to institute a process to verify the authenticity of API Users so long as such process is objective and the same for all API Users and completed within ten business days of receipt of an API User's request to register their software application for use with the Certified API Developer's Health IT Module certified to § 170.315(g)(10) .
(ii)Registration for production use. A Certified API Developer must register and enable all applications for production use within five business days of completing its verification of an API User's authenticity, pursuant to paragraph (b)(1)(i) of this section.
(2)Service base URL publication. For all Health IT Modules certified to § 170.315(g)(10) , a Certified API Developer must publish, at no charge, the service base URLs and related organization details that can be used by patients to access their electronic health information, by December 31, 2024. This includes all customers regardless of whether the Health IT Modules certified to § 170.315(g)(10) are centrally managed by the Certified API Developer or locally deployed by an API Information Source. These service base URLs and organization details must conform to the following:
(i) Service base URLs must be publicly published in Endpoint resource format according to the standard adopted in § 170.215(a) .
(ii) Organization details for each service base URL must be publicly published in Organization resource format according to the standard adopted in § 170.215(a) . Each Organization resource must contain:
(A) A reference, in the Organization.endpoint element, to the Endpoint resources containing service base URLs managed by this organization.
(B) The organization's name, location, and facility identifier.
(iii) Endpoint and Organization resources must be:
(A) Collected into a Bundle resource formatted according to the standard adopted in § 170.215(a) for publication; and
(B) Reviewed quarterly and, as necessary, updated.
(3)Rollout of (g)(10)-certified APIs. A Certified API Developer with certified API technology previously certified to the certification criterion in § 170.315(g)(8) must provide all API Information Sources with such certified API technology deployed with certified API technology certified to the certification criterion in § 170.315(g)(10) by no later than December 31, 2022.
(4)Compliance for existing certified API technology. By no later than April 5, 2021, a Certified API Developer with Health IT Module(s) certified to the certification criteria in § 170.315(g)(7), (8), or (9) must comply with paragraph (a) of this section, including revisions to their existing business and technical API documentation and make such documentation available via a publicly accessible hyperlink that allows any person to directly access the information without any preconditions or additional steps.
(c)Definitions. The following definitions apply to this section:

API Information Source means an organization that deploys certified API technology created by a "Certified API Developer;"

API User means a person or entity that creates or uses software applications that interact with the "certified API technology" developed by a "Certified API Developer" and deployed by an "API Information Source;"

Certified API Developer means a health IT developer that creates the "certified API technology" that is certified to any of the certification criteria adopted in § 170.315(g)(7) through (10) ; and

Certified API technology means the capabilities of Health IT Modules that are certified to any of the API-focused certification criteria adopted in § 170.315(g)(7) through (10) .

45 C.F.R. §170.404

85 FR 25945 , May 1, 2020, as amended at 85 FR 70084 , Nov. 4, 2020
85 FR 25945 , 6/30/2020; 85 FR 70084 , 12/4/2020; 89 FR 1433 , 2/8/2024; 89 FR 8548 , 3/11/2024