On March 9, 2020, the ONC and CMS released updated rules for interoperability and patient access provisions of the bipartisan 21st Century Cures Act. The Cures Act, which was first signed into law on December 13, 2016, was designed to help accelerate medical product development. The Cures Act also included the creation of an interoperable network exchange, which enables the secure exchange and use of electronic health information. It allows for complete access, transfer, and use of all electronically accessible health information.
Within the 21st Century Cures Act lies the new ONC final rule. In order to facilitate patient access to electronic health information, this rule is seeking the use of the SMART Application Launch Framework, OAuth2, and OpenID standards.
Many health organizations wish to implement their own health app solution to comply with the new ONC final rule.
The SMART Application Launch Framework
SMART is a framework for developers to provide a reliable, secure authorization protocol that allows previously authorized apps to access EHR (electronic health records) directly from healthcare providers.
The SMART application launch framework facilitates interoperability by making it easier for your SMART app to communicate and share data with other apps that also use SMART. Interoperability is provided in an open, secure, and standardized way to comply with the Cures Act, and provide better insight into patient data for the patients themselves and healthcare providers.
The OAuth2 Standard
OAuth2 is a well-known standard to provide access authorization without the sharing of passwords between providers and services. It allows for a secure method of authorization that can be integrated into health app solutions.
Designing an authorization system is a complex process; if not done correctly, malicious hackers can access private information from users. Using the OAUTH2 protocol reduces complexity and allows users to have a simple workflow to access healthcare websites and apps.
The OpenID Standard
OpenID is an authentication (proving the identity of a user) protocol, different from OAuth2, which is an authorization (specifying access privileges) protocol. OpenID Connect integrates both OpenID and OAuth2. This allows users to create just one account, for example, a Google account and reuse the account name and password to authenticate other web or mobile apps such as Airbnb, Dropbox, or Uber. It simplifies an app’s registration workflow without compromising security.
Many people use the same password for multiple web accounts. OpenID helps prevent credential stuffing, which is a technique in which an attacker acquires the login info for one account, and then attempts to gain access to that individual’s other accounts (e.g., email, bank logins, credit cards, etc.) using the one compromised password. With OpenID, the patient will only need to remember one password and keep it secure.
What does this mean for healthcare organizations?
Cures Act compliant health app solutions allow healthcare organizations to securely provide patients with access to their health information via SMART Application Launch Framework, OAuth2, and OpenID standards. These standards allow for the secure management of passwords and other personal information. It’s important for healthcare organizations to work with a healthcare app development agency that’s knowledgeable in healthcare IT security, the Cures Act, HIPAA, and all other regulations in order to meet all these requirements and avoid future headaches or fines.