Authentication
Enabledoc FHIR APIs uses TLS 1.2 or higher, OAuth 2.0, and JSON Web Token (JWT) for security as described here. Third party apps must secure and protect the privacy of patients and their data using this technology as part of the HL7 SMART App Framework. The third party app making calls to any EMHA API resource must include the access token in the Authorization header of the HTTPS request as a bearer token as illustrated in RFC 6749. The bearer token must be obtained by calling the authorization server that can be accessed through an https connection. The 3rd party app must be authorized by the patient’s practice that has received patient consent for the application to access patient PHI unless public OAuth is used by the patient or practitioner to authenticate to the portal from the client app. Patients or practice administrators can activate or deactivate the 3rd party application access of their PHI at any time via their Enablemyhealth portal account.
Types of Authentication
Enabledoc EMHA FHIR API uses OAuth 2.0, Open ID, TLS 1.2 or higher, JSON Web Token (JWT), and SSL keys to authenticate and secure all communications. EMHA FHIR API adheres to the SMART App Launch Framework and SMART Backend Service to connect third-party applications to Enablemypractice and Enablemyhealth portal systems and data. The framework supports apps for use by medical providers, clinical staff, patients, and other medical professionals via our Enablemyhealth patient and wellness platform. Our Enablemyhealth platforms operates Microsoft Identity Framework as an Oauth 2.0 server to provide a reliable, secure authorization protocol for all apps.There are three types of authentication provided:
- Front Facing Confidential
- App runs on a Enablemyhealth server with only server-side access to the secret
- App is a native app that uses dynamic client registration and universal redirect_uris to protect the JWT secret
- Front Facing Public Apps
- App is an HTML5 or JS in-browser app (including single-page applications) that would expose the secret in user space
- App is a native app that can only distribute a secret statically
- Backend Service: Pull data for one, multiple or all patients
- A backend service app is registered with the FHIR authorization server, a developer client account OAuth, the JWT key sets the pre-authorization to the organizational patients and scope based on administrative approval and access to FHIR resources. At runtime, the app will need to obtain an access token in order to retrieve FHIR resources as pre-authorized.OAuth and JWT access tokens are issued by the EMHA FHIR authorization server, in accordance with the OAuth 2.0 Authorization Framework, RFC6749. 3. Use of the app credentials grant type protects its authentication credential. This specification describes requirements for requesting an access token through the use of an OAuth 2.0 client credentials flow, with a JWT assertion as the client’s authentication mechanism. The exchange, as depicted above, allows the client to authenticate itself to the FHIR authorization server and to request a one year access token.
How Patient Front Facing apps work:
The workflow for a patient front facing app or portal is as follows:
- End user (patient, or other trusted individual with access to the Patient Portal) clicks a login button in your app, which your app has configured to request our authorized endpoint This request redirects the end user to the Enablemyhealth portal login screen.
- User logs in using their Enablemyhealth portal account ID and password, grants or denies any OAuth scopes requiring their consent, and is returned to your app’s redirect URI with an appended authorization code.
- Your app makes a token request using the authorization code and is returned a JSON response containing the requested token.
- Your app parses the token JSON response to get data using the Enabledoc APIs to pull specific data to your app.
How Backend apps work:
The workflow for a backend app is as follows:
- Backend app, which your app has configured to request via our authorized endpoint, authenticates using the JWT token.
- Your app uses the FHIR JSON API to get clinical data.
How Provider Front Facing apps work:
The workflow for a provider or staff front facing app or portal is as follows:
- End user (provider or staff with access to the Patient Portal) clicks a login button in your app, which your app has configured to request our authorized endpoint This request redirects the end user to the Enablemyhealth portal login screen.
- User logs in using their Enablemypractice account ID and password, grants or denies any OAuth scopes requiring their consent, and is returned to your app’s redirect URI with an appended authorization code.
- Your app makes a token request using the authorization code and is returned a JSON response containing the requested token.
- Your app parses the token JSON response to get data using the Enabledoc APIs to pull specific data to your app.