Stream: implementers
Topic: Provider Directory API Auth Implementation
Vidhi Shah (Jul 07 2021 at 11:19):
How do we handle Auth in FHIR server while implementing Provider Directory API as per CMS mandate? Has anybody implemented it before? Should it be an anonymous call or bypass Auth or add credentials/token beforehand for provider directory API call?
Vidhi Shah (Jul 07 2021 at 11:20):
As per https://fhirblog.com/2019/01/15/provider-directories-part-2/, we should include the access token for the provider directory api call, are there any other options out there or any other system has implemented it?
John Moehrke (Jul 07 2021 at 12:18):
This is a question of policy. HL7 is not a body that is responsible for policy.
Generally a provider directory tends to need to be public readable, but the content it returns must be highly trustworthy. This usually is sufficiently covered with classic https which will authenticate the server to the client so that the client knows it is properly connected to the server it intended to connect to.
There might be reason to have user/client tokens (aka OAuth) for read/search operations simply for record keeping, meaning that the access control rule allows everyone that provides a legitimate user token (aka OpenID-Connect) - where legitimate is a policy.
but very constrained on who can create/update/delete. Often each entry will be associated with an organization, and thus only a select few (role) at that organization are allowed to create or change.
ALL, Guesses at a realistic Policy.
I cover this use-case in my HL7 FHIR Privacy & Security tutorial that is scheduled for next week. https://healthcaresecprivacy.blogspot.com/2021/06/fhir-security-privacy-tutorial.html
Nirmal Fernando (Jul 07 2021 at 12:58):
We implemented them to be Open (unsecured) APIs with rate limiting in place.
Vidhi Shah (Jul 07 2021 at 13:25):
@John Moehrke , thanks for sharing the information. CMS Mandate does not state clearly about its Authorization status, it only defines that the information should be available publicly. Also, if you have any upcoming session on this, would love to join
Vidhi Shah (Jul 07 2021 at 13:26):
@Nirmal Fernando , thanks for sharing. Do you have any public documentation for your FHIR Implementation/ APIs?
Josh Mandel (Jul 07 2021 at 15:58):
The CMS requirements are for public, open access -- there should not be an authentication step for clients to read/search ("make provider directory information publicly available via a standards-based API").
Josh Mandel (Jul 07 2021 at 15:59):
https://www.cms.gov/about-cms/obrhi/faqs/faqs provides background:
- The Provider Directory API must be publicly available and exclude the security protocols related to user authentication and authorization and any other protocols that restrict the availability of this information to particular persons or organizations (see 85 FR 25543).
Josh Mandel (Jul 07 2021 at 16:00):
@Vidhi Shah, Re: your comment that "CMS Mandate does not state clearly about its Authorization status", see my excerpt from the CMS FAQ above. It's refreshingly clear, I'd say! (Note that David's blog post from 2019, which you link to, is not about how to meet the CMS mandate; it's just a blog post that happens to be about the topic of provider directories. It's important for you not to equate these.)
Vidhi Shah (Jul 08 2021 at 05:25):
@Josh Mandel Thanks much
Last updated: Apr 12 2022 at 19:14 UTC
