Trusted Dynamic Registration & Authentication
The Trusted Dynamic Registration & Authentication Accreditation Program (TDRAAP) is designed to help healthcare organizations and application developers demonstrate their ability to use trusted digital certificates for endpoint identity, registration, authentication and attribute discovery for electronic healthcare transactions in real-time.
Developed to support an organization’s continued focus on interoperability – a foundational component of the Office of the National Coordinator’s (ONC’s) Cures Act Final Rule and related CMS Interoperability and Patient Access Final Rule – the program combines technical certification with third-party review of privacy and security, while enabling trust and transparency for organizational and individual access to data.
The program is available with two options:
TDRAAP Basic is designed specifically for developers of consumer-facing apps, also referred to as a patient’s “App of their Choice,” as used in workflows such as ONC certified Health IT that include SMART app launch with individual sign-on for FHIR data access by one patient at a time with the patient’s own credentials issued by the healthcare system publishing the API.
Example: Start-up Application Development company wants to “certify” a single application using UDAP with Authorization Code Flow. ABC Company develops a Diabetes App designed to allow a patient to access their own information from a hospital or ambulatory provider’s FHIR endpoint. This program contains a technical certification step (limited to one client app capabilities—for organizations that do not operate a FHIR server or OAuth server) along with a Privacy and Security Self-Attestation which includes targeted Subject Matter Expert validation. The Basic Program is priced at $1,200 and is valid for a one-year period.
TDRAAP-Comprehensive combines the extensive privacy and security requirements and in-depth validation of traditional EHNAC accreditation programs, with UDAP technical framework certification. It is designed for a diverse cross-section of organizations and systems choosing to demonstrate full HIPAA/HITECH Privacy Security compliance and supporting all UDAP.org workflows including those for bulk data transfer, broadcast queries, when privileged client access data is sought, or authorization code flow.
Program candidates include:
- Mobile app developers
- Health Information Exchanges (HIEs)
- Health Information Networks (HINs)
- Financial institutions
- Regulatory agencies
- Defense contractors
- EHR vendors
- Security vendors
- Cloud vendors
- Identity providers
TDRAAP-Comprehensive may include up to 5 apps and/or endpoints, with additional nominal fees applied for greater than 5 apps and/or endpoints. This program contains a technical certification step (unlimited on the number of end points for client, app and identity) along with a Privacy and Security Accreditation. This includes full subject matter expert review and onsite audit. The Comprehensive Program is cost effectively priced based on your organization’s revenue level and is valid for a two-year period.
The Unified Data Access Profiles, tested within the certification process, are open standards that are free for any API ecosystem participant to implement and use, and extend OAuth and OpenID Connect to leverage trusted digital certificates. UDAP workflows eliminate the need for every FHIR endpoint to independently vet and manually register every client application and enable the reuse of OpenID credentials or digital certificates in JWT-based authentication. This solves the problem of having to generate and manage single-system credentials for each trio of client application, payer or provider data source, and consumer or other data requestor–a scalability challenge left unsolved by OAuth and OpenID as they stand. By using the UDAP extensions to these standards along with trusted digital certificates instead of client secrets, participants who successfully complete this program signal enhanced security and confidence in their systems as app operators, identity providers, and FHIR servers—which is essential to Da Vinci use cases and in FHIR exchange more generally – while also supporting real-time discovery of verified information about counter parties during dynamic (automated) client registration and authentication. See UDAP.org for information on Unified Data Access Profiles, enrollment for testing, educational materials and more.
Lee Barrett, Executive Director and CEO
Julie Maas, CEO of EMR Direct
Shaun Newton, Information Security & Compliance Officer
Demonstrate Trust with TDRAAP
TDRAAP participants who successfully complete this program signal enhanced security and confidence in their systems as app operators, identity providers and FHIR servers essential to Da Vinci use cases and in FHIR exchange. The achievement also supports real-time discovery of verified information about counter parties during dynamic (automated) client registration and authentication.
The value of providing support for UDAP workflows, completing privacy and security accreditation, and enabling certificate-based trust is recognized throughout the healthcare IT industry, and the benefits of UDAP are referenced in HL7 materials; CARIN, Carequality, and Da Vinci implementation guides; and in the FHIR at Scale Taskforce (FAST) Security Tiger Team’s solution to the question of how to manage permissions and security at scale across millions of patients, payers and providers.
Criteria for the TDRAAP Program is available on the EHNAC Criteria Page. Organizations interested in beginning the application process for TDRAAP should complete the application form or contact EHNAC. For organizations that require hands-on support to complete pre-assessment steps, readiness planning, gap assessments and more, check out the EHNAC’s Consulting and Advisory Services.