Trusted Dynamic Registration & Authentication
The Trusted Dynamic Registration & Authentication Accreditation Program (TDRAAP) is designed to help healthcare organizations and application developers demonstrate their ability to use trusted digital certificates for endpoint identity, registration, authentication and attribute discovery for electronic healthcare transactions in real time.
Developed to support an organization’s continued focus on interoperability – a foundational component of the Office of the National Coordinator’s (ONC’s) Cures Act Final Rule and related CMS Interoperability and Patient Access Final Rule – the program combines technical certification with third-party review of privacy and security, while enabling trust and transparency for organizational and individual access to data.
The program is available with two options:
TDRAAP-Basic offers privacy and security self-attestation with targeted validation while the included Unified Data Access Profiles (UDAP) technical framework certification demonstrates that an entity’s end-to-end API can be trusted by patients and other industry stakeholders. The Basic program is designed specifically for developers of consumer-facing apps, also referred to as a patient’s “App of their Choice,” using individual sign-on for access to one patient’s FHIR data at a time within ONC-certified Health IT, payer systems, or other Health IT with the patient’s own credentials.
Example:Start-up Application Development company wants to “certify” a single application using UDAP with Authorization Code Flow. ABC Company develops a Diabetes App designed to allow a patient to access their own information from a hospital or ambulatory provider’s FHIR endpoint. This program contains a technical certification step (limited to one client app capabilities—for organizations that do not operate a FHIR server or OAuth server) along with a Privacy and Security Self-Attestation which includes targeted Subject Matter Expert validation. The Basic Program is priced at $1,200 and is valid for a one-year period.
TDRAAP-Comprehensive is designed for organizations wanting to demonstrate full HIPAA/HITECH Privacy and Security compliance and validation of all UDAP technical Workflows they support, including FHIR server, identity service, privileged client app or provider access to data—for example, FHIR Bulk Data requests, broadcast or targeted queries, authorization code flow in patient-directed or cross-organizational queries, or any setting in which multiple services deployed by the organization enable UDAP workflows.
Program candidates include:
- Mobile app developers
- Health Information Exchanges (HIEs)
- Health Information Networks (HINs)
- Financial institutions
- Regulatory agencies
- Defense contractors
- EHR vendors
- Security vendors
- Cloud vendors
- Identity providers
TDRAAP-Comprehensive may include up to 5 apps and/or endpoints, with additional nominal fees applied for greater than 5 apps and/or endpoints. This program contains a technical certification step (unlimited on the number of end points for client, app and identity) along with a Privacy and Security Accreditation. This includes full subject matter expert review and onsite audit. The Comprehensive Program is cost effectively priced based on your organization’s revenue level and is valid for a two-year period.
The Unified Data Access Profiles, tested within the certification process, are open standards that are free for any API ecosystem participant to implement and use, and extend OAuth and OpenID Connect to leverage trusted digital certificates. UDAP workflows eliminate the need for every FHIR endpoint to independently vet and manually register every client application and enable the reuse of OpenID credentials or digital certificates in JWT-based authentication. This solves the problem of having to generate and manage single-system credentials for each trio of client application, payer or provider data source, and consumer or other data requestor–a scalability challenge left unsolved by OAuth and OpenID as they stand. By using the UDAP extensions to these standards along with trusted digital certificates instead of client secrets, participants who successfully complete this program signal enhanced security and confidence in their systems as app operators, identity providers, and FHIR servers—which is essential to Da Vinci use cases and in FHIR exchange more generally – while also supporting real-time discovery of verified information about counter parties during dynamic (automated) client registration and authentication. See UDAP.org for information on Unified Data Access Profiles, enrollment for testing, educational materials and more.
Lee Barrett, Executive Director and CEO
Julie Maas, CEO of EMR Direct
Shaun Newton, Information Security & Compliance Officer
Ricky Sahu, CEO
Demonstrate Trust with TDRAAP
TDRAAP participants who successfully complete this program signal enhanced security and confidence in their systems as app operators, identity providers and FHIR servers essential to Da Vinci use cases and in FHIR exchange. The achievement also supports real-time discovery of verified information about counter parties during dynamic (automated) client registration and authentication.
The value of providing support for UDAP workflows, completing privacy and security accreditation, and enabling certificate-based trust is recognized throughout the healthcare IT industry, and the benefits of UDAP are referenced in HL7 materials; CARIN, Carequality, and Da Vinci implementation guides; and in the FHIR at Scale Taskforce (FAST) Security Tiger Team’s solution to the question of how to manage permissions and security at scale across millions of patients, payers and providers.
Criteria for the TDRAAP Program is available on the EHNAC Criteria Page. Organizations interested in beginning the application process for TDRAAP should complete the application form or contact EHNAC. For organizations that require hands-on support to complete pre-assessment steps, readiness planning, gap assessments and more, check out the EHNAC’s Consulting and Advisory Services.
TDRAAP will serve as a “good housekeeping seal” of proven readiness and trust to enter onto the interoperability digital exchange highway.
FHIR® is the registered trademark of HL7 and is used with the permission of HL7.