Stream: CARIN IG for Blue Button®
Topic: Third Party App Registration
Josh Lamb (May 26 2020 at 18:02):
I wanted to gauge the community's support for including guidance as part of the IG regarding a uniform application registration process. I imagine it would be jarring for application developers to have a different registration process for each payer they wished to support.
Do we think this could fall within the scope of the IG? Would we want it to?
Somewhat related, how will application developers interface with all of the various health plans? This could be a huge task for an app developer if they need to reach out to all 300+ payers individually. I am not sure how an app developer could reasonably find all of the various payers app registration pages.
Michele Mottini (May 26 2020 at 19:39):
This is currently a big problem when trying to connect to providers. Having something uniform would be great, but I do not know if it is realistic to try to put it in the implementation guide
John Moehrke (May 26 2020 at 19:52):
Yes, but it should not be specific to CARIN Blue Button. There is an effort in the SMART-on-FHIR space, mostly around Argonaut, to work this problem as a unified problem that can be used in many domains such as payers.
Josh Lamb (May 26 2020 at 20:20):
I know 1UP Health put together a directory of apps who signed the CARIN code of conduct. It may be good to have a similar directory, where an app developer can find links to the registration pages for all of the various payers.
Ryan Howells (Jun 01 2020 at 16:13):
We are working on this @josh lamb with @Aaron Seib @Luis Maas on this topic. We have a list of the apps who have signed the CARIN code of conduct on MyHealthApplication.com. We also are recommending health plans leverage UDAP.org to assist in registering trusted apps.
Bruno R Neves (Jun 18 2020 at 19:30):
On the recommendation to use UDAP's DCR... Looking into details from UDAP site, it seems that this DCR implementation is in Draft status. Two questions here, 1. Any tentative date for a "final" version? 2. Any issue with the standard OAuth DCR spec (RFC 7591) that made the team recommend UDAP's implementation instead?
Bhanu Vemuri (Aug 11 2020 at 12:38):
We are planning to categorize vendors apps into "trusted" and "not trusted" based on CARIN code of conduct attestation. Intent is to allow apps that sign CARIN code of conduct connect with us through UDAP and others through the manual registration process. like to hear thoughts about it from others? Also, how payers can validate a specific app that connecting with us through UDAP is signed the CARIN code of conduct as this information persisted outside the payers systems?
Michele Mottini (Aug 11 2020 at 12:54):
how payers can validate a specific app that connecting with us through UDAP is signed the CARIN code of conduct
I don't believe you can
Very few (no?) app currently support UDAP
Josh Mandel (Aug 11 2020 at 20:28):
To me, this is mixing two very different concepts: how apps register (technical question), and whether they follow a specific set of terms (policy question).
Josh Mandel (Aug 11 2020 at 20:28):
If the recommendation is to use udap, why restrict it to only certain apps?
Josh Mandel (Aug 11 2020 at 20:29):
I should also say (I've said it in other forums) that recommending UDAP in the IG before we have production experience with it seems premature.
Ryan Howells (Aug 13 2020 at 02:47):
Agreed @Josh Mandel From the beginning, the SMART App Launch Framework has been listed as a SHALL and UDAP has been listed as a SHOULD in the CARIN for Blue Button IG. @Bhanu Vemuri We would be interested in testing this at either the Patient Access API event next week or the HL7 connectathon in September. @Amol Vyas @Mark Roberts @Luis Maas @Aaron Seib can help you get connected to some apps who may be interested.
Ryan Howells (Aug 13 2020 at 02:59):
We are still actively reviewing this approach but we would be interested in the community's comments on the attached draft regarding third-party app registration using UDAP. Please include your thoughts in the chat or the attached Google Doc. https://docs.google.com/document/d/1HgOlUWMEsZHBChuP4DACRka4ap2S8UwSTkAz4oY6bCo/edit
Our intent would be to include this guidance in the IG as a SHOULD rather than a SHALL once we get the community's input. @Bhanu Vemuri and others: It would be great to work with @Amol Vyas @Luis Maas @Mark Roberts to see if we could try and test this approach soon.
Josh Mandel (Aug 13 2020 at 03:07):
I don't think we're agreeing -- "SHOULD" level guidance is a recommendation; I'm saying it's premature to recommend supporting external specifications that our implementation community doesn't have real experience with. This would be better scope for follow-on IGs.
Aaron Seib (Aug 13 2020 at 03:30):
Hi Ryan et al. - coincidentally Bhanu and I have a call scheduled tomorrow to discuss further - definitely a topic we are excited to share more about.
Ryan Howells (Aug 13 2020 at 03:58):
It's certainly worth further discussion. Our health plan colleagues have expressed interest in more of an automated app registration approach but it's unclear how many will use it out of the gate. We've also been following the lead of ONC FAST, DaVinci, and Carequality who have all discussed using UDAP.
Josh Lamb (Aug 13 2020 at 04:23):
From an implementors perspective, UDAP would be a scope increase for application registration. We will be required to support the manual process, even if we used UDAP. I am not imagining a flood of application developers that would justify automating this process.
John Moehrke (Aug 13 2020 at 12:43):
Please include @Jenni Syed and @Isaac Vetter who do have real world experience. The lessons the EHR community have learned should not need to be re-invented by the payer community.
Ryan Howells (Aug 21 2020 at 15:31):
Agree John. We've reached out to both.
Last updated: Apr 12 2022 at 19:14 UTC
