The Department of Health and Human Services (HHS) has finalized technical standards in the ONC’s 21st Century Cures Act final rule for payers and developers to use, including:

  • SMART IG/OAuth 2.0 SMART Application Launch Framework Implementation Guide Release 1.0.0, November 13, 2018. SMART on FHIR provides reliable, secure authorization for a variety of app architectures with the OAuth 2.0 standard. This Authorization Guide supports the four use cases defined for Phase 1 of the Argonaut Project. This profile is intended to be used by app developers that need to access FHIR resources by requesting access tokens from OAuth 2.0 compliant authorization servers. The profile defines a method through which an app requests authorization to access a FHIR resource, and then uses that authorization to retrieve the resource.
  • OpenID Connect OpenID Connect Core 1.0 Incorporating Errata Set 1, November 8. 2014. OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It enables clients to verify the identity of the end-user based on the authentication performed by an authorization server, as well as to obtain basic profile information about the end-user in an interoperable and RESTful manner. This specification defines the core OpenID Connect functionality: authentication built on top of OAuth 2.0 and the use of claims to communicate information about the end-user. It also describes the security and privacy considerations for using OpenID Connect.