Trusted Dynamic Registration & Authentication Accreditation Program (TDRAAP)

Trusted Dynamic Registration & Authentication

The Trusted Dynamic Registration & Authentication Accreditation Program (TDRAAP) is designed to help healthcare organizations and application developers demonstrate their ability to use trusted digital certificates for endpoint identity, registration, authentication and attribute discovery for electronic healthcare transactions in real time.

Developed to support an organization’s continued focus on interoperability – a foundational component of the Office of the National Coordinator’s (ONC’s) Cures Act Final Rule and related CMS Interoperability and Patient Access Final Rule – the program combines technical certification with third-party review of privacy and security, while enabling trust and transparency for organizational and individual access to data.

The program is available with two options:

TDRAAP-Basic offers privacy and security self-attestation with targeted validation while the included Unified Data Access Profiles (UDAP) technical framework certification demonstrates that an entity’s end-to-end API can be trusted by patients and other industry stakeholders. The Basic program is designed specifically for developers that provide only consumer-facing applications using the SMART App Launch Framework, also referred to as a patient’s “App of their Choice,” or other FHIR client for patient directed exchange, and only enable this data access workflow. These apps use individual sign-on for access to one patient’s FHIR^®data at a time within ONC-certified Health IT, payer systems, or other Health IT with the patient’s own credentials issued by the data holder.

Example:Start-up Application Development company wants to “certify” a single application using UDAP with Authorization Code Flow. ABC Company develops a Diabetes App designed to allow a patient to access their own information from a hospital or ambulatory provider’s FHIR endpoint. This program contains a technical certification step (limited to one client app capabilities—for organizations that do not operate a FHIR server or OAuth server) along with a Privacy and Security Self-Attestation which includes targeted Subject Matter Expert validation. The Basic Program is priced at $1,200 and is valid for a one-year period.

TDRAAP-Comprehensive is designed for organizations wanting to demonstrate full HIPAA/HITECH Privacy and Security compliance and validation of all UDAP technical Workflows they support, including FHIR server, identity service, privileged client app or provider access to data—for example, FHIR Bulk Data requests, broadcast or targeted queries, authorization code flow in patient-directed or cross-organizational queries, or any setting in which multiple services deployed by the organization enable UDAP workflows.

Program candidates include:

Payers
Providers
Mobile app developers
Health Information Exchanges (HIEs)
Health Information Networks (HINs)
Financial institutions
Regulatory agencies
Defense contractors
Clearinghouses
EHR vendors
Security vendors
Cloud vendors
Identity providers

TDRAAP-Comprehensive may include up to 5 apps and/or endpoints, with additional nominal fees applied for greater than 5 apps and/or endpoints. This program contains a technical certification step (unlimited on the number of end points for client, app and identity) along with a Privacy and Security Accreditation. This includes full subject matter expert review and onsite audit. The Comprehensive Program is cost effectively priced based on your organization’s revenue level and is valid for a two-year period.

The Unified Data Access Profiles, tested within the certification process, are open standards that are free for any API ecosystem participant to implement and use, and extend OAuth and OpenID Connect to leverage trusted digital certificates. UDAP workflows eliminate the need for every FHIR endpoint to independently vet and manually register every client application and enable the reuse of OpenID credentials or digital certificates in JWT-based authentication. This solves the problem of having to generate and manage single-system credentials for each trio of client application, payer or provider data source, and consumer or other data requestor–a scalability challenge left unsolved by OAuth and OpenID as they stand. By using the UDAP extensions to these standards along with trusted digital certificates instead of client secrets, participants who successfully complete this program signal enhanced security and confidence in their systems as app operators, identity providers, and FHIR servers—which is essential to Da Vinci use cases and in FHIR exchange more generally – while also supporting real-time discovery of verified information about counter parties during dynamic (automated) client registration and authentication. See UDAP.org for information on Unified Data Access Profiles, enrollment for testing, educational materials and more.

“The ability to efficiently register and authenticate endpoints is a core component of interoperability throughout the healthcare information highway. Through the creation of a technical and governance infrastructure, TDRAAP supports interoperability with a specific focus on technical standards enabling trust and transparency for both organizational and individual access to data.”

Lee Barrett, Executive Director and CEO
EHNAC

“The open source UDAP profiles provide the ability to efficiently register and authenticate endpoints and applications, increasing confidence in FHIR and other open API transactions through the re-use of established, trusted identities and verified attributes. We are excited to join EHNAC in bringing the industry a program for those seeking to signal enhanced security, privacy, and interoperability of their systems by certifying their compliance with the profiles. This empowers application developers, healthcare systems and other industry stakeholder organizations, patients, and other consumers with more efficient access to health data.”

Julie Maas, CEO of EMR Direct
UDAP.org contributor

“We believe the TDRAAP accreditation adds significant value for our clients and enables them to stay ahead of an evolving regulatory environment. TDRAAP provides the much-needed governance infrastructure for supporting scalable interoperability, with a specific focus on the technical standards enabling trust and transparency for both organizational and individual access to data. This comprehensive accreditation supports the establishment of a trusted ecosystem. Without an accredited trust network, healthcare organizations would be forced to manage a manual vetting and registration process. Our team continues to embrace regulatory change and ensure our solution empowers the healthcare industry with a laser-focused, scalable interoperability platform that drives patient-centered care.”

Shaun Newton, Information Security & Compliance Officer
ZeOmega

“The EHNAC TDRAAP-Comprehensive accredidation provides OtisHealth with additional credibility as a professional organization. Our partners understand that opening our company to a third-party evaluation of our processes, policies, and technology is a testament to our commitment to the privacy and security of the incredibly sensitive data our members have entrusted to our platform. The accredidation process, guided by EHNAC’s fantastic staff, also gave us the opportunity to take a fresh look at ourselves to ensure we are continually applying the best practices.”

Marc Mar-Yohana, Founder and CEO
OtisHealth

Demonstrate Trust with TDRAAP
TDRAAP participants who successfully complete this program signal enhanced security and confidence in their systems as app operators, identity providers and FHIR servers essential to Da Vinci use cases and in FHIR exchange. The achievement also supports real-time discovery of verified information about counter parties during dynamic (automated) client registration and authentication.

The value of providing support for UDAP workflows, completing privacy and security accreditation, and enabling certificate-based trust is recognized throughout the healthcare IT industry, and the benefits of UDAP are referenced in HL7^® materials; CARIN, Carequality, and Da Vinci implementation guides; and in the FHIR at Scale Taskforce (FAST) Security Tiger Team’s solution to the question of how to manage permissions and security at scale across millions of patients, payers and providers.

Criteria for the TDRAAP Program is available on the EHNAC Criteria Page. Organizations interested in beginning the application process for TDRAAP should complete the application form or contact EHNAC. For organizations that require hands-on support to complete pre-assessment steps, readiness planning, gap assessments and more, check out the EHNAC’s Consulting and Advisory Services.