Application Programming Interface (API) Task Force Recommendations May 12, 2016 Application Programming Interface (API) Task Force Recommendations, 05/12/2016 1 Member List Josh Mandel, Co-chair, Harvard Medical School Meg Marshall, Co-chair, Cerner Corporation Leslie Kelly Hall, Member, Healthwise Ivor Horn, Member, Seattle Children's Hospital Robert Jarrin, Member, Qualcomm Incorporated Rajiv Kumar, Member, Stanford University School of Medicine Richard Loomis, Member, Practice Fusion Aaron Miri, Member, Imprivata Drew Schiller, Member, Validic Aaron Seib, Member, National Association for Trusted Exchange David Yakimischak , Member, Surescripts Linda Sanches, Ex Officio, Office for Civil Rights-Health and Human Services Rose-Marie Nsahlai, Staff Lead, HHS Application Programming Interface (API) Task Force Recommendations, 05/12/2016 2 Table of Contents Application Programming Interface (API) Task Force Recommendations .................................................... 1 Member List .................................................................................................................................................. 2 I. Overview ............................................................................................................................................... 5 INTRODUCTION ......................................................................................................................................... 5 SCOPE ........................................................................................................................................................ 6 MOTIVATION FOR LIMITED SCOPE ........................................................................................................... 6 II. Task Force Approach ............................................................................................................................. 7 GENERAL SUPPORT FOR APIs .................................................................................................................... 7 Recommendations ................................................................................................................................ 7 OVERSIGHT AND ENFORCEMENT OF APIs ................................................................................................ 7 Background ........................................................................................................................................... 7 Findings ................................................................................................................................................. 8 Recommendations .............................................................................................................................. 10 III. Generic Use Case ............................................................................................................................ 12 VARIANTS ON USE CASE .......................................................................................................................... 12 TOPIC 1: TYPES OF APPS AND ORGANIZATIONS WHO PROVIDE THEM ................................................. 13 Background ......................................................................................................................................... 13 Findings ............................................................................................................................................... 13 Recommendations .............................................................................................................................. 13 TOPIC 2: APP REGISTRATION .................................................................................................................. 14 Background ......................................................................................................................................... 14 Findings ............................................................................................................................................... 15 Recommendations .............................................................................................................................. 15 TOPIC 3: ENDORSEMENT/CERTIFICATION OF APPS ............................................................................... 16 Background ......................................................................................................................................... 16 Findings ............................................................................................................................................... 16 Recommendations .............................................................................................................................. 18 TOPIC 4: COMMUNICATION OF THE APP’S PRIVACY POLICIES .............................................................. 18 Background ......................................................................................................................................... 18 Findings ............................................................................................................................................... 19 Recommendations .............................................................................................................................. 22 TOPIC 5: PATIENT AUTHORIZATION FRAMEWORK ................................................................................ 24 Application Programming Interface (API) Task Force Recommendations, 05/12/2016 3 Background ......................................................................................................................................... 24 Recommendations .............................................................................................................................. 24 TOPIC 6: LIMITATIONS AND SAFEGUARDS ON SHARING ........................................................................ 27 Background ......................................................................................................................................... 27 Findings ............................................................................................................................................... 27 Recommendations .............................................................................................................................. 28 TOPIC 7: AUDITING AND ACCOUNTING FOR DISCLOSURES ................................................................... 29 Background ......................................................................................................................................... 29 Findings ............................................................................................................................................... 30 Recommendations .............................................................................................................................. 31 TOPIC 8: IDENTITY PROOFING, USER AUTHENTICATION, AND APP AUTHENTICATION ......................... 32 Background ......................................................................................................................................... 32 Findings ............................................................................................................................................... 33 Recommendations .............................................................................................................................. 34 IV. Appendix ......................................................................................................................................... 36 A. Virtual Hearing Information ............................................................................................................ 36 Background ......................................................................................................................................... 36 Virtual Hearing Panelists ..................................................................................................................... 36 Key Items for Consideration................................................................................................................ 36 Out of Scope Issues ............................................................................................................................. 37 Key Themes from Hearings ................................................................................................................. 37 Top Challenges .................................................................................................................................... 42 Key Drivers for Success ....................................................................................................................... 42 B. Technical Actors, Roles, Responsibilities and Operations .............................................................. 43 C. Glossary of Terms ............................................................................................................................ 45 Application Programming Interface (API) Task Force Recommendations, 05/12/2016 4 I. Overview INTRODUCTION Application Programming Interface (API) refers to technology that allows one software program to access the services provided by another software program. In its 2015 Edition of Health IT Certification Criteria (2015 CHIT), the Office of the National Coordinator for Health Information