mXDE + QEDm = Provenance

The combination of mXDE and QEDm provide for Provenance evidence between the FHIR Resources made available via QEDm and the documents from which that data was decomposed. In this way the client application using FHIR Resource data can ask for Provenance. For each Provenance record given there is a unique document that contained that information. Thus the client can know how many documents stated the medical information, and can navigate to those documents. see IHE whitepaper section

UDAP for Client App Registration, Authentication & Authorization

Since FHIR transactions require the use of a FHIR client, client application registration and management is an integral component of query using FHIR. With regards to system authentication for this use case, UDAP Dynamic Client Registration provides an extension to RFC 7591 to better scale the registration and use of FHIR client apps. This profile has seen interest from numerous industry stakeholders as an alternative to manually re-registering apps at every different datasource and as a way to enable sharing of information about apps among datasources. Trusted Dynamic Client Registration provides a path for verification of attributes for apps holding valid digital certificates and the communication of these attributes (e.g. privacy policy) to the end user, increasing confidence in valid FHIR clients within the ecosystem and facilitating the connection of apps to clinical FHIR servers without manual pre-registration. This can be used together with UDAP JWT-based Client Authentication to support reusable client identity for authentication and authorization, to help scale the use of client credentials or authorization code flow, and UDAP JWT-based Client Authorization Grants can be used to transmit Purpose of Use and Consent Information.             UDAP is an open collaborative developing profiles to increase scalability, confidence, security, and trust in Open API ecosystems, and allows the re-use of identity proofing and credentialing processes already in place in existing national health information networks. These profiles are in draft status and are in pilot stage. UDAP DCR and Authentication/Authorization have been tested successfully at several HL7 FHIR connectathons and have received positive feedback from multiple stakeholders, including national health information networks, EHR vendors, patient privacy rights advocates, and app developers. These profiles are also compatible with SMART App Launch and UMA.         We recommend that this be listed as a separate interoperability need sub-section of Query or possibly as a new top-level entry in Section III (e.g. Client Application Management), as it potentially overlaps with many of the other existing sub-sections where FHIR is used, including Query, Consumer Access, and Push.         Julie Maas, CEO, EMR Direct

UDAP for Client App Registration, Authentication & Authorization

This work has now been jointly published by and HL7. The Security for Scalable Registration, Authentication, and Authorization (UDAP Security - Business-to-Business workflow is therefore recommended for use in this type of exchange; it is an Emerging Implementation Specification for securely scaling FHIR transactions by validating trusted ecosystem endpoints.