Health Tech RFI Response

Recommendation: ONC must lead an improved, evidence-based USCDI development and adoption process to ensure that an expanding set of meaningfully standardized and clinically relevant patient data elements is defined. This enhanced USCDI will serve as the common data foundation for all mandated FHIR-based APIs.

Rationale & Specifics:

1. Evidence-Based Prioritization: The process for expanding USCDI must prioritize data elements with demonstrated, widespread real-world use cases and significant benefits for patient care, interoperability, research, or public health.
2. Clear Functional Expectations for SDOs: When new data elements are added to USCDI, ONC should clearly articulate the functional expectations and provide illustrative examples of intended real-world usage. This high-level guidance enables ONC to work effectively with Standard Development Organizations (SDOs) to drive the downstream development of detailed, API-specific technical specifications and implementation guides (e.g., US Core FHIR profiles for single-patient access, and relevant profiles for Bulk FHIR operations).
3. Iterative Refinement: An active feedback loop post-USCDI version release should be established to assess implementation quality and consistency across all API types, allowing for refinement of functional expectations or guidance.
4. Conformance Testing: Certification testing for all FHIR APIs mandated to expose USCDI data must verify that the implementation of USCDI data elements aligns with the detailed specifications in relevant SDO-developed FHIR Implementation Guides (e.g., US Core), serving as a practical proxy for ensuring consistency with ONC's articulated functional expectations.

Recommendation: The ONC Health IT Certification Program must ensure certified Health IT systems implement current, stable, industry-adopted versions of the SMART App Launch Framework and related backend services specifications to support secure and functional single-patient FHIR API access.

Rationale & Specifics: To enable a broad ecosystem of secure and innovative single-patient applications:

1. Current SMART App Launch Versions: Continue to require support for current, stable, industry-adopted versions of the SMART App Launch Framework (e.g., SMART 2.2 or subsequent releases), building on the SMART 2.1 foundation in HTI-1, to incorporate up-to-date security protocols and evolving capabilities. Certification must validate adherence to the specific security functionalities and protocols mandated by the required version.
2. Full CORS Support: Mandate full Cross-Origin Resource Sharing (CORS) support on single-patient FHIR API endpoints to enable purely browser-based applications, lowering barriers for innovative patient-facing tools. Certification must validate correct and complete implementation.
3. Unrestricted offline_access Scope: Ensure the offline_access scope is available for consumer approval for any registered app type (public, confidential, native, browser-based) to empower applications with persistent access and improve user experience. Certification must validate correct and complete implementation.
4. Standardized Endpoint Discovery (User-Facing Brands): Mandate published endpoint lists supporting discovery by physical locations, organizational hierarchies, patient-facing brand names, and institution logos (e.g., aligning with initiatives like the "SMART Patient Access Brands" IG) to improve user experience in app connection.

Recommendation: The ONC Health IT Certification Program must ensure certified Health IT systems implement current, stable, industry-adopted versions of the FHIR Bulk Data Access (Flat FHIR) specification to support efficient, population-level export of USCDI data.

Rationale & Specifics: To enable scalable population health, research, and system transition use cases:

1. Essential Parameter Support: Mandate support for critical FHIR Bulk Data parameters, including _since for incremental updates and _typeFilter (or equivalent mechanisms) for granular data scoping of exported resources. Certification must validate correct implementation. Incremental updates enable systems to use efficient bulk exports that only contain required data and can be processed rapidly. In contrast to notifications when there are changes, incremental export requests represent a simpler approach to integration, support export of historical data, and do not require both the data provider system and the data consumer system to be continuously online.
2. Basic Group Management: Require EHR systems to support standardized API-based creation, modification, and deletion of FHIR Group resources for use in Bulk FHIR exports, without arbitrary group size limitations. Signal intent to adopt community-developed standards via SVAP for more advanced group management capabilities. Group APIs for both roster based groups (e.g., the DaVinci Member Attribution List Implementation Guide) and characteristic based groups (e.g., Argonaut work on FHIR Group API for Bulk Data Access IG) are needed to fully realize the potential of the Bulk Data API.

Recommendation: Certified Health IT implementing FHIR Bulk Data APIs must be foundationally designed to operate efficiently at the population level, and their performance in exporting USCDI data must achieve parity with any proprietary bulk export mechanisms offered by the same system.

Rationale & Specifics: To ensure the regulated Bulk FHIR API is a viable and primary mechanism for population data export, rather than a secondary, underperforming option:

1. Performance Parity: The speed, efficiency, scalability, timeliness, and customization capabilities of the regulated FHIR Bulk Data export operation for USCDI data must be comparable to that of any non-FHIR, proprietary bulk export formats or methods (e.g., CSV exports from a data warehouse) offered by the same Health IT Module when exporting similar volumes of data for comparable patient cohorts. This is not directly certifiable in pre-market testing but should be an explicit expectation and potentially monitored through post-market surveillance or programs like the EHR Reporting Program.
2. Designed for Population Scale: Health IT developers must attest that their FHIR Bulk Data API implementation is architected for efficient operation at population scale (e.g., leveraging appropriate database indexing, asynchronous processing, and scalable infrastructure), rather than being a simple iteration over single-patient APIs.

Recommendation:

1. Certified Health IT must provide a robust, functional, and computable "Electronic Health Information" (EHI) Export for single patients. This EHI export must be available via a standardized API, aligning with or providing functionality equivalent to the Argonaut Project's EHI Export API Implementation Guide, to allow for automated retrieval by patient-authorized applications. This serves as a comprehensive backstop for any information not available through USCDI FHIR APIs and must include structured and unstructured data, along with necessary vendor documentation for interpretation.
2. In addition to providing access to a computable EHI export through the API, systems must also offer patients an API endpoint to export the full HIPAA designated record set in a human readable form.

Rationale & Specifics: A complete, computable, and API-accessible export of all EHI is a cornerstone of patient data access rights and enables numerous use cases, from personal health record aggregation to data migration and advanced analytics by patient-chosen tools.

1. Alignment with Argonaut EHI Export API IG (or Equivalent Functionality):
   • Implementations should support the SMART App Launch flow (e.g., patient/$ehi-export scope) for patient-facing app authorization, as defined in the Argonaut EHI Export API IG.
   • The API should follow the FHIR Asynchronous Request Pattern, including the kick-off request, status polling, and manifest response, as detailed in the Argonaut EHI Export API IG.
   • The manifest returned upon completion should include links to all exported data files (which may include FHIR NDJSON, vendor-specific formats, CSVs, etc.) and, importantly, a link to top-level public vendor documentation (ehiDocumentationUrl) necessary for interpreting the contents of the export, as specified in the Argonaut IG.
   • Support for FHIR DocumentReference resources to describe non-FHIR data files within the export (as profiled in the Argonaut EHI Export API IG's EHIDocumentReference Profile) is crucial for providing metadata and context for diverse data formats.
   • CORS support must be enabled to ensure web-based applications can fully utilize the API and access necessary headers.
2. Completeness: The export must include all EHI as defined by ONC, encompassing both standardized (e.g., USCDI) and non-standardized data, including clinical notes, images (or references to them if not directly included), and other relevant information.
3. Computability: Data should be provided in machine-readable formats. While vendor-specific formats are permissible within the EHI export (as anticipated by the Argonaut IG through DocumentReferences), they must be accompanied by the aforementioned vendor documentation to enable programmatic interpretation by recipient applications. FHIR NDJSON should be used for data that can be represented in FHIR. Human Readability: Data should also be provided through the API in human-readable format so patients can use an app to request and share their complete record from multiple sites with providers, researchers, and AI agents without needing to learn each site's process for submitting and tracking a record request.
4. Usability and Patient Interaction:
   • As described in the Argonaut EHI Export API IG, if the EHI Server supports returning a subset of EHI or requires additional user interaction (e.g., for filtering by date ranges or data types), it should support the Link header with rel="patient-interaction" to direct the user to a page for specifying these options.
   • The process should accommodate workflows that may involve manual steps (e.g., HIM staff review), returning appropriate in-progress status responses until the data is ready for retrieval.
5. Certification Rigor for EHI Export: Certification testing must rigorously verify:
   • API Accessibility: Conformance to the specified asynchronous API pattern (kick-off, status, manifest) and SMART App Launch for authorization.
   • Completeness: Mechanisms or attestations to ensure all EHI is included.
   • Computability: Availability of data in machine-readable formats and the presence of the required ehiDocumentationUrl in the manifest.
   • Functionality: Correct handling of patient interaction links (if supported), status updates, and manifest generation, aligning with the functional expectations of the Argonaut EHI Export API IG or equivalent.

By aligning with industry-developed specifications like the Argonaut EHI Export API IG, ONC can ensure a more consistent, interoperable, and functional approach to fulfilling the Cures Act requirement for full EHI export, making it truly useful for patients and the applications they authorize.

Recommendation: Certified Health IT must provide a clear, easily discoverable, and entirely electronic self-service mechanism for patients to request their complete Electronic Health Information (EHI). This functionality must allow patients to initiate and track their EHI export requests without resorting to manual processes such as phone calls, paper forms, or faxes.

Rationale & Specifics: Patients have a right to access their EHI without undue burden. Current manual request processes are often slow, opaque, and frustrating for patients, creating significant barriers to accessing their own health information. A self-service electronic mechanism is a fundamental step towards empowering patients.

1. Electronic Request Initiation: Patients must be able to submit a request for their full EHI through a secure electronic interface, such as a patient portal or a dedicated online form provided by the certified Health IT.
2. Elimination of Manual Intermediaries for Request Submission: The system must not require the patient to print forms, send faxes, or make phone calls to initiate the EHI request. While backend fulfillment might involve some staff review, the patient's initial interaction and submission must be fully electronic.
3. Status Tracking and Notification: The system should provide patients with a way to electronically track the status of their EHI export request and receive electronic notifications (e.g., email, portal message) upon completion or if further information is needed.
4. Electronic Fulfillment: While the format of the EHI export itself is covered by other requirements (e.g., computability, completeness), the delivery of the export, once ready, should also be facilitated electronically where feasible and secure (e.g., secure download link, direct deposit to a patient-authorized application if an API is used).
5. Discoverability: This self-service EHI request functionality must be prominently displayed and easily accessible within patient-facing interfaces of the certified Health IT.
6. Cost-Free to Patient: Initiating and receiving EHI through this mandated self-service electronic mechanism must be free of charge to the patient.
7. Certification: Certification testing must verify the presence, functionality, and discoverability of this self-service electronic EHI request capability, including the ability to submit a request, track status, and receive notifications entirely through electronic means.

Recommendation: Certified Health IT must support secure, patient-initiated messaging to healthcare providers from third-party applications, utilizing standardized APIs. Signal intent to adopt community-developed standards such as the Argonaut Project's Provider/Patient Secure Messaging API Implementation Guide (https://hackmd.io/@argonaut/H1dQ95xG3) via SVAP.

Rationale & Specifics: To improve patient engagement and streamline communication within the healthcare system:

1. Patient Convenience and Engagement: Enables patients to communicate with their care teams directly from applications they are already using to manage their health, improving navigation of the healthcare system, reducing communication friction, and fostering continuous engagement.
2. Contextual Communication: Facilitates more effective communication by allowing patients to, for example, select specific data within an app (e.g., a portion of a clinical note they are viewing, a concerning lab result, a self-tracked observation) and easily include it as context within their secure message to the provider.
3. Standardized Approach: Adherence to community-developed standards like the Argonaut messaging API (which leverages FHIR Communication) ensures interoperability and provides a consistent, predictable interface for app developers. This includes:
   • Discoverable messaging endpoints.
   • Standardized FHIR resources for message construction and exchange.
   • Alignment with existing security and authorization frameworks like SMART App Launch.
   • Clear expectations for message payloads, including text and potentially references or attachments.
4. EHR Workflow Integration: Certified Health IT must be capable of integrating these incoming patient-initiated messages into existing provider communication workflows (e.g., EHR in-basket, designated messaging queues) to ensure they are reviewed and responded to in a timely and appropriate manner by the care team.
5. Use Case Example: A patient is reviewing a recently released clinical note in their preferred patient-facing application. They identify a section containing medical jargon they don't understand or have a question about their medication dosage. The application, using the standardized API, allows them to highlight this specific text snippet and send a secure message, with the selected text automatically included as context, directly to their provider's EHR system.
6. Certification: ONC certification testing should verify the EHR's capability to:
   • Expose the necessary API endpoints for receiving patient-initiated messages.
   • Correctly process and route messages according to the Argonaut (or similar ONC-specified) messaging IG.
   • Handle contextual data included with messages.
   • Ensure messages are appropriately presented to providers within their standard workflows.
   • Confirm adherence to security and authorization requirements.

Recommendation: Certified Health IT must provide clear, secure, and entirely electronic pathways for individuals to request amendments to their medical records, track the status of these requests, and receive responses, thereby making HIPAA-granted rights more accessible and usable. These pathways must be available through patient-facing interfaces (e.g., patient portals) and programmatically via APIs for patient-authorized applications.

Rationale & Specifics: Making the HIPAA right to request record amendments electronically functional is crucial for data accuracy, patient trust, and engagement. Current manual processes are often burdensome. This could be combined with the approach for "Mandate Patient-Initiated Secure Messaging via Standardized APIs".

1. Electronic Submission: Patients must be able to identify information they believe is incorrect and electronically submit an amendment request with their reasoning, via patient portals and APIs for authorized apps.
2. Status Tracking & Response: The system must provide electronic confirmation of receipt, allow patients to track the request status, and deliver the provider's electronic response (acceptance or denial).
3. Statement of Disagreement: If a request is denied, the system must support the patient's right to electronically submit a statement of disagreement to be included with their record.
4. Provider Workflow Support: Certified Health IT must include tools for providers to efficiently receive, review, manage, and respond to these electronic amendment requests.
5. Certification: Testing should verify the functionality for electronic submission (portal and API), status tracking, electronic response delivery, and the system's support for providers managing these requests, including statements of disagreement.

This ensures patients can exercise their amendment rights efficiently through modern electronic means, contributing to better data quality and patient empowerment.

Recommendation: Certified Health IT must implement support for a defined starter set of FHIR Subscription topics to enable event-driven data synchronization and application workflows, reducing inefficient polling and supporting timely notifications. Rationale & Specifics: Real-time awareness of data changes is crucial for many clinical and patient-facing applications.

1. Core Subscription Topics: At a minimum, support should include topics such as "Patient data updates" (for changes to key USCDI resources associated with a patient) and "Encounter data update" (for new or updated encounters). ONC should align these with industry efforts like the Argonaut Project's US Core Patient Data feed design.
2. Technical Standards: Implementations should align with stable versions of FHIR Subscription specifications (e.g., FHIR R4 Subscriptions Backport IG).
3. Use Cases: This enables use cases like patient apps receiving updates without constant polling, public health systems being notified of reportable encounters, and clinical systems triggering workflows based on new data availability.
4. Certification: Testing should verify the ability to create subscriptions to defined topics and receive notifications when corresponding events occur.

Recommendation: Certified Health IT must support the CDS Hooks specification as a standardized method for integrating external clinical decision support (CDS) services directly into EHR workflows. Rationale & Specifics: Integrating evidence-based guidance and advanced analytics at the point of care requires a standard interface.

1. Core Hooks and Functionality: Mandate support for key CDS Hooks (e.g., version 2.0, including the patient-view hook for context-aware information display and potentially order-sign or order-select for interventional CDS).
2. Data Prefetch and Authorization: Support must include prefetch of relevant US Core data elements and use of fhirAuthorization access tokens to allow CDS services to securely access necessary patient data via FHIR APIs.
3. Alternative to InfoButton: Position CDS Hooks as a modern, more interactive alternative to older context-passing mechanisms like InfoButton.
4. Certification: Testing should validate the EHR's ability to invoke CDS services at specified hook points, pass context correctly, handle returned CDS cards (information, suggestions, app links), and manage authorization for data access.

Recommendation: Certified Health IT must provide programmatic and automatable API access to diagnostic quality medical images, using consistent, standardized authorization flows and ensuring images are shareable and usable by authorized applications. Rationale & Specifics: Medical images are critical clinical data, yet their accessibility via APIs has lagged. EHRs could certify to these capabilities by integrating with an underlying Picture Archiving and Communication System (PACS) as long as all the configuration was in place to make the user and app experience seamless; EHRs are not required to directly store and manage detailed study metadata and raw imaging data, as long as they allow seamless access alongside other clinical data.

1. Standardized API Access: Access should be facilitated via standardized APIs (e.g., DICOMweb for image retrieval) referenced from FHIR resources (e.g., an ImagingStudy resource containing DICOMweb endpoints).
2. Consistent Authorization: Image access must use the same SMART on FHIR authorization mechanisms as used for other clinical data, ensuring a consistent security model for applications.
3. Avoidance of Non-Programmatic "Links": The requirement is for truly programmatic access, not just "imaging links" within a portal that may be context-bound, require manual user interaction to dereference, or are not shareable with third-party applications.
4. Industry Alignment: Encourage alignment with industry efforts such as the Argonaut Project's Imaging Access specifications.
5. Certification: Testing should verify that an authorized application can discover available imaging studies for a patient via FHIR and then programmatically retrieve diagnostic quality images using the specified APIs and authorization flow.

Recommendation: To ensure patients can establish patient portal accounts securely and conveniently online:

1. ONC/CEHRT Requirement: Certified Health IT (CEHRT) offering patient portal capabilities must include the functionality to enable at least one pathway for new patient account provisioning that is fully remote and electronic, and relies on a high-assurance identity proofing process comparable to NIST 800-63 Identity Assurance Level 2 (IAL2).
2. CMS/Provider Requirement: Healthcare provider organizations participating in Medicare and/or Medicaid programs must configure and offer such a compliant remote, high-assurance patient portal account provisioning option to their patients, leveraging the capabilities of their CEHRT. This could be established, for example, as a Condition of Participation or through other relevant program requirements.

Rationale & Specifics: The fundamental goal is to make secure, online patient portal account creation a standard, accessible option for all patients. This requires a two-pronged approach: CEHRT must provide the necessary robust technical capabilities, and healthcare providers must make these capabilities available to patients as part of their participation in federal healthcare programs.

1. CEHRT Capability as the Technical Foundation: ONC's certification ensures that the technology itself possesses the robust, implementable functionality for remote, high-assurance provisioning. This includes:
   • Supporting a fully remote, electronic process.
   • Meeting high-assurance identity proofing standards (e.g., IAL2-comparable). In routine use, patient authentication may be satisfied by on-device FIDO-based biometrics (e.g., Face ID, Touch ID, Windows Hello) that are cryptographically bound to the previously IAL2-verified identity, thereby meeting AAL2 with minimal user friction. Repeated user authentication should not be needed in the context of an ongoing authorization providing long-term access.
   • Flexibility for CEHRT developers in how this is achieved (e.g., integration with IAL2 IdPs, or direct implementation of a compliant workflow).
   • Certification would verify the functionality, security, integrity, and practical usability/configurability by provider organizations.
2. Provider Obligation for Patient Access: CMS's role is to ensure that providers make this ONC-certified capability operational for patients. By establishing this as an expectation for program participation:
   • It makes remote, high-assurance account creation a standard offering, critical for equitable patient access and convenience.
   • It leverages the security enhancements built into CEHRT, ensuring accounts are established on a strong identity basis.
   • It drives adoption of modern, patient-centric digital services.
3. Enhanced Security and Trust: This coordinated approach ensures that remotely provisioned accounts are based on a strong, verifiable identity proofing process, establishing a consistent, high bar for trust.
4. Patient Convenience: Eliminates mandatory in-person steps or reliance on lower-assurance methods, aligning with modern digital service expectations.

Recommendation: ONC must ensure, through proactive engagement with the RCE and evolution of the TEFCA Common Agreement, Qualified Health Information Network Technical Framework (QTF), and associated Standard Operating Procedures (SOPs), that individuals have visibility into and control over how their data is exchanged under TEFCA. Individuals must have robust mechanisms to review audit logs and manage data sharing, accessible through TEFCA-designated services that ensure their choices are honored by all TEFCA QHINs and Participants.

Rationale & Specifics: Building public trust in TEFCA requires empowering individuals with direct oversight and control. The TEFCA framework, its participating QHINs, and connected Health IT systems must support the following:

1. TEFCA-level Patient Sharing Controls and Notifications via Discoverable Interfaces:

   • Individuals must be able to manage their TEFCA data sharing choices and notification settings through at least one clearly designated and easily accessible central point of interaction provided at the TEFCA level.
   • QHINs may also offer their own interfaces for managing these choices and settings, provided they are compatible with and reflect the authoritative settings managed via the TEFCA-level mechanism.
   • These sharing choices and notification settings, once set through a TEFCA-recognized interface, must be propagated and honored by all TEFCA QHINs and their Participants. Supported controls must include:
     • "Freeze Access" Capability: A mechanism for individuals to (reversibly) block all TEFCA-facilitated data disclosures for their data. This freeze would be registered through a TEFCA-level mechanism and honored by all QHINs and their Participants attempting to retrieve data for that individual via TEFCA.
     • "Ask Me First" for Query Approval/Disclosure: An option for individuals to require their explicit, real-time (or near real-time) consent via a notification (e.g., from their chosen QHIN or a TEFCA-designated function) before their data is released in response to specific TEFCA queries, especially for non-treatment purposes or other sensitive exchanges as defined by the individual or TEFCA policy. This represents a specific sharing choice configuration.
     • Network Access Notifications: An option for individuals to receive notifications for TEFCA-based queries or disclosures of their health records. (These could also serve as the trigger for "Ask Me First" approvals.)

2. Patient-Accessible TEFCA Audit Logs:

   • The RCE, under TEFCA, or a TEFCA-designated entity, must provide or facilitate a standardized, secure, cost-free, human-readable, and API-accessible method for individuals to obtain a comprehensive audit log of TEFCA-related activity, potentially accessible via the same interfaces used for managing sharing choices.
   • This log must reflect queries for their data and data disclosures across QHINs and their Participants operating under TEFCA, incorporating relevant audit information from QHINs and from participating data holders (e.g., EHR systems) regarding TEFCA-facilitated exchanges.
   • The architecture for providing this consolidated view must prioritize individual privacy and data minimization. This can be achieved by TEFCA-designated entities querying distributed audit logs maintained by participants (QHINs and data holders) in real-time or near real-time upon an authenticated patient's request, assembling a temporary, consolidated view for the individual, rather than creating a permanent, centralized repository of all log details.

3. Certified Health IT Support for Honoring TEFCA Patient Sharing Choices and Enabling TEFCA Audit Log Access:

   • Recommendation: The ONC Health IT Certification Program must include criteria requiring certified Health IT (used by TEFCA Participants/Subparticipants) to be capable of:
     • Receiving, interpreting, and honoring patient sharing choices (e.g., freeze, settings for "Ask Me First") that are communicated to them through TEFCA-designated mechanisms.
     • Securely responding to authorized audit log queries, initiated on behalf of a patient, by providing relevant local audit event data concerning TEFCA-facilitated exchanges.
   • Rationale: For TEFCA patient controls to be effective end-to-end, and for audit trails to be comprehensive and trustworthy for the patient, EHR systems at the point of data holding must act upon patient sharing choices communicated via TEFCA-designated mechanisms and enable their local TEFCA-related transaction data to be included in the patient's consolidated audit view of TEFCA-facilitated exchanges.
   • Specifics for EHR Certification:
     • Consumption and Honoring of TEFCA Patient Sharing Choices: Certified Health IT must be capable of subscribing to, receiving standardized signals or data from, and acting upon instructions from TEFCA-designated mechanisms responsible for conveying patient sharing choices. This includes appropriately withholding data or awaiting further network instruction based on an individual’s active sharing choices.
     • Responding to Authorized TEFCA Audit Log Queries: Certified Health IT must implement a standardized, secure API endpoint to receive and process authorized audit log queries. These queries, authenticated as being on behalf of a specific patient, would originate from TEFCA-designated services responsible for consolidating patient audit views, or potentially from other TEFCA-authorized client applications acting for the patient. Upon such a query, the EHR must return relevant local audit event data regarding TEFCA-facilitated exchanges for that patient.

Recommendation: ONC, in coordination with the RCE, must define, oversee, and mandate support for a "TEFCA Patient-Developer Credential." This program will provide individuals with a unique, identity-bound digital credential. This credential will enable applications they develop and directly control to securely access only their own data via all standard TEFCA QHIN APIs, and to facilitate simplified registration and access directly with participant EHR FHIR API endpoints, free of network or prohibitive registration access charges for this specific personal use.

Rationale & Specifics: To fully empower individuals, foster grassroots innovation, and ensure patients can directly participate in managing their health information, a dedicated and comprehensive pathway is needed. This pathway allows individuals, acting as their own developers, to bypass commercial IAS provider intermediaries for TEFCA network access and simplifies direct connection to EHRs for their personal data. It positions the patient as a direct, albeit limited-scope, participant across the ecosystem for their own information.

1. Issuance and Nature of the Patient-Developer Credential:
   • Identity Verification: The credential must be issued to an individual only after high-assurance identity verification through a federally recognized or TEFCA-approved Identity Provider (IdP) (as per req_tefca_trustworthy_ias_architecture).
   • Cryptographic Binding & Purpose Designation: The issued credential (e.g., a specific type of client certificate or token) must be cryptographically and uniquely bound to the verified individual’s identity and explicitly designated for "self-access/patient-developer" use only.
   • Cost-Free to the Individual: Obtaining this Patient-Developer Credential must be free of charge.
2. TEFCA Network Access using the Credential:
   • Full TEFCA QHIN API Access (for Own Data): When presented by an application, this credential must grant access to the full suite of TEFCA QHIN APIs (e.g., query, retrieve) that a commercial IAS provider or other network participant would use.
   • Strictly Scoped to Own Data (Network Level): Access granted via this credential at the QHIN level must be technically restricted to only the data pertaining to the credentialed individual.
   • Mandatory QHIN Recognition & Fee Exemption: All TEFCA QHINs must recognize valid Patient-Developer Credentials and not charge individuals or their apps network access fees for this personal use.
3. Facilitating Direct EHR FHIR API Access for Patient-Developers:
   • EHR Recognition of Patient-Developer Context: The TEFCA framework (or related ONC certification criteria for TEFCA participants) should ensure that EHR systems of TEFCA participants are capable of recognizing a context or assertion associated with the Patient-Developer Credential (or a derivative token) to streamline app registration for direct EHR FHIR API access for that specific patient's data.
   • Simplified EHR Dynamic Registration Pathway: For applications presenting evidence of being operated by a patient for their own data (potentially signaled via the Patient-Developer Credential context), EHRs supporting dynamic registration must offer a simplified pathway. This could involve accepting specific assertions or self-attestations for app identity in lieu of more complex commercial registration requirements, enabling individual/hobbyist app development for personal data access directly from an EHR's FHIR API is achieved through this mechanism).
   • No Prohibitive EHR Registration Fees for Personal Use: This simplified pathway for patient-developers accessing their own data directly from an EHR should not involve prohibitive registration or certification fees from the EHR vendor.
4. Clear Distinction from Commercial Pathways: This entire Patient-Developer Credential pathway is explicitly for individual, non-commercial use by patients developing tools for their own data. It does not replace or alter requirements for commercial IAS providers or other applications operating at scale or for multiple users.

Recommendation: The TEFCA Common Agreement and QTF must mandate a high-assurance security and authorization architecture for all Individual Access Services (whether commercial IAS providers or services facilitating the Patient-Developer Credential). This architecture must ensure that applications accessing data on behalf of an individual do so based on explicit, verifiable individual consent, mediated by a narrow set of trusted identity and authorization service providers, with verifiable binding between identity and authorization.

Rationale & Specifics: Protecting patient data shared via any individual access pathway within TEFCA requires a robust, standardized architecture that clearly separates roles and ensures accountability. This model prevents applications from self-attesting permissions and helps limit the potential impact of a compromised application.

1. Federated Trust with Approved Identity Providers (IdPs) for All IAS:

All Individual Access Service pathways, including those used by commercial providers and those facilitating the Patient-Developer Credential, must rely on a defined, limited set of federally recognized or TEFCA-approved, high-assurance Identity Providers (IdPs) for initial individual identity verification. This establishes a "narrow waist" for trusted identity proofing.

2. Explicit, Verifiable Individual Authorization Mediated by Trusted Services:

The act of an individual authorizing an application to access their data must be a distinct, explicit step mediated by a trusted authorization service that leverages the verified identity from an approved IdP. The resulting authorization artifact (e.g., a SMART on FHIR authorization code exchanged for an access token, a FHIR Consent resource, or other digitally signed permission) must be cryptographically bound to the verified individual identity and the specific application being authorized, ensuring non-repudiation and that permissions are granted by the legitimate data subject to a specific recipient for defined purposes.

Critical Architecture Constraints:

• Applications CANNOT create identity credentials or authorization credentials - they may only consume credentials issued by trusted services. Authorization may be digitally signed with the same private key used to present a verified mobile credential (e.g., a state-issued MDL stored in an Apple / Google wallet), so long as the signature is triggered by an on-device biometric ceremony that binds the patient’s intent to the request. An alternative is for the identity verification (IDV) service to handle authorization and consent as part of a single flow, or for separate online IDV and authorization services to be used. Any of these flows is acceptable as long as it meets the principles of a "narrow waist" and binding, as stated in the architecture constraints.
• Narrow waist enforcement: Only the limited set of approved IdPs and authorization services may issue their respective credential types
• Verifiability: Relying parties (QHINs, EHRs) must be able to cryptographically verify that both identity and authorization credentials were issued by approved trusted services
• Security properties of binding must ensure:
  • Non-transferability: Authorization cannot be used by a different identity
  • Non-forgeability: Applications cannot modify or create credentials
  • Accountability: All credential issuance is auditable to specific trusted entities

3. Scoped Access Based on Authorization:

Applications, upon presenting a valid, identity-bound authorization credential, are granted access only to the data permitted by that specific authorization. This principle, combined with fine-grained consent capabilities, helps limit the "blast radius" of any single compromised application or token. Repeated user authentication should not be needed in the context of an ongoing authorization providing long-term network-based access in TEFCA.

4. Support for Diverse IAS Provider Models, Including Non-Reciprocal Patient-Controlled Storage:

• The TEFCA framework must explicitly acknowledge and support IAS providers that function solely as agents for patient-directed data retrieval and local/personal storage (e.g., on a patient's device or personal cloud).
• Such "patient-controlled storage" IAS providers, when authorized by an individual to retrieve data on their behalf, should not be mandated to become queryable TEFCA network nodes themselves or to make the retrieved data available for reciprocal sharing via TEFCA. Their role is to facilitate the patient's right to access and personally hold their data, respecting a patient's choice to keep that consolidated data private and outside of further network exchange, unless explicitly re-authorized by the patient for a different purpose.

5. Facilitation of Individual Data Retrieval within this Architecture:

Within this trustworthy and flexible framework, QHINs must provide or ensure individuals have access to functionalities enabling them to:

• Discover which TEFCA participants are likely to hold their records (Record Locator Service - RLS), via user-friendly interfaces (website and API).
• Initiate cost-free queries for their own USCDI data (and eventually their full Electronic Health Information) from all participating data holders via TEFCA.

Recommendation: ONC should lead or actively support the establishment, maintenance, and governance of publicly available, free, and machine-readable national directory services crucial for enabling nationwide health information exchange and interoperability. Rationale & Specifics: Effective, scalable interoperability across a diverse national landscape requires common, trusted, and easily accessible infrastructure for discovering participants, their capabilities, and their electronic endpoints. This reduces friction for all stakeholders, from application developers to HINs and individual patients seeking to connect.

• Comprehensive National Provider & Health IT Endpoint Directory:
  • Content: This directory must include, at a minimum: healthcare providers (individual and organizational); organizational affiliations; certified Health IT product information in use; publicly accessible electronic service endpoint information (e.g., FHIR API base URLs for patient access, organization-level endpoints, TEFCA QHIN participation details and IAS capabilities); and supported standards and implementation guides (e.g., FHIR versions, US Core versions, other relevant IGs, supported TEFCA Exchange Purposes).
  • Accessibility: The directory must be publicly available, queryable via API, and downloadable in bulk, free of charge for informational and connection purposes.
  • Data Quality & Maintenance: Clear processes for data submission, validation, and regular updates must be established to ensure accuracy and timeliness, potentially leveraging existing data sources (e.g., NPPES) but enhancing them with necessary interoperability-specific details.
  • Governance: A clear governance model for the directory is essential, ensuring neutrality, sustainability, and responsiveness to ecosystem needs.