EHNAC Accreditation Program Created for Open API Transactions

New regulatory requirements about data sharing lead to the need for new forms of accreditation. The Electronic Healthcare Network Accreditation Commission (EHNAC)  has launched a new program tied to the interoperability requirements within the Office of the National Coordinator's Cures Act Final Rule and related CMS Interoperability and Patient Access Final Rule.

EHNAC has partnered with UDAP.org on the launch of the Trusted Dynamic Registration & Authentication Accreditation Program (TDRAAP) for open API transactions.

TDRAAP is designed to help healthcare organizations and application developers demonstrate their ability to use trusted digital certificates for endpoint identity, registration, authentication and attribute discovery for electronic healthcare transactions in real-time.

The Unified Data Access Profiles (UDAP) published by UDAP.org are designed to increase confidence in open API transactions through the use of trusted identities and verified attributes. Interest in UDAP led to the development of additional implementation guides focused on key use cases in the deployment of reusable identities, including Dynamic Client Registration and Tiered OAuth.

“Through the creation of a technical and governance infrastructure, TDRAAP supports interoperability with a specific focus on technical standards enabling trust and transparency for both organizational and individual access to data,” said EHNAC Executive Director and CEO Lee Barrett, in a statement. “We want everyone’s voice to be heard and invite all industry stakeholders to provide feedback to help guide the development of this important and very timely accreditation and technical certification program.”

Created for a number of healthcare stakeholders, TDRAAP offers two program options: TDRAAP- Basic or TDRAAP-Comprehensive.

TDRAAP-Basic offers privacy and security self-attestation with targeted validation while the included UDAP technical framework certification demonstrates that an entity’s end-to-end API can be trusted by patients and other industry stakeholders. It is designed specifically for developers of consumer-facing apps, also referred to as a patient’s “App of their Choice,” as used in workflows mandated by ONC and CMS that include SMART app launch with individual sign-on. TDRAAP-Basic thus supports the use of individual queries for “one-patient-at-a-time FHIR data access” using the credentials issued by the healthcare system publishing the API for the Individual to access data.

TDRAAP-Comprehensive is designed for a diverse cross-section of organizations and systems choosing to demonstrate full HIPAA/HITECH Privacy Security compliance and supporting all relevant UDAP workflows including those for privileged client app or provider access such as in bulk data, broadcast, or targeted cross-organizational queries. Program candidates include payers, providers, mobile app developers, health information exchanges (HIEs), health information networks (HINs), identity and credential service providers, financial institutions, regulatory agencies, defense contractors, clearinghouses, as well as EHR, security, and cloud vendors.

The first draft criteria for TDRAAP v1.0 is now posted on the EHNAC website along with new versions of program criteria for EHNAC’s 21 accreditation programs, for a 60-day public comment and review.