View all text of Subpart B [§ 170.200 - § 170.299]
§ 170.215 - Application Programming Interface Standards.
The Secretary adopts the following standards and associated implementation specifications as the available standards for application programming interfaces (API):
(a) API base standard. The following are applicable for purposes of standards-based APIs.
(1) Standard. HL7® Fast Healthcare Interoperability Resources (FHIR®) Release 4.0.1 (incorporated by reference, see § 170.299).
(2) [Reserved]
(b) API constraints and profiles. The following are applicable for purposes of constraining and profiling data standards.
(1) United States Core Data Implementation Guides—(i) Implementation specification. HL7® FHIR® US Core Implementation Guide STU 3.1.1 (incorporated by reference in § 170.299). The adoption of this standard expires on January 1, 2026.
(ii) Implementation Specification. HL7® FHIR® US Core Implementation Guide STU 6.1.0 (incorporated by reference, see § 170.299).
(2) [Reserved]
(c) Application access and launch. The following are applicable for purposes of enabling client applications to access and integrate with data systems.
(1) Implementation specification. HL7® SMART Application Launch Framework Implementation Guide Release 1.0.0, including mandatory support for the “SMART Core Capabilities” (incorporated by reference, see § 170.299). The adoption of this standard expires on January 1, 2026.
(2) Implementation specification. HL7® SMART App Launch Implementation Guide Release 2.0.0, including mandatory support for the “Capability Sets” of “Patient Access for Standalone Apps” and “Clinician Access for EHR Launch”; all “Capabilities” as defined in “8.1.2 Capabilities,” excepting the “permission-online” capability; “Token Introspection” as defined in “7 Token Introspection” (incorporated by reference, see § 170.299).
(d) Bulk export and data transfer standards. The following are applicable for purposes of enabling access to large volumes of information on a group of individuals.
(1) Implementation specification. FHIR® Bulk Data Access (Flat FHIR®) (v1.0.0: STU 1), including mandatory support for the “group-export” “OperationDefinition” (incorporated by reference, see § 170.299).
(2) [Reserved]
(e) API authentication, security, and privacy. The following are applicable for purposes of authorizing and authenticating client applications.
(1) Standard. OpenID Connect Core 1.0, incorporating errata set 1 (incorporated by reference, see § 170.299).
(2) [Reserved]