Certification Companion Guide:
§ 170.404 Application Programming Interfaces

§ 170.404 Application programming interfaces.

The following Condition and Maintenance of Certification requirements apply to developers of Health IT Modules certified to any of the certification criteria adopted in § 170.315(g)(7) through (10), and (31) through (g)(33) unless otherwise specified in this section.

1. Condition of certification requirements—
   1. General. A Certified API Developer must publish APIs and allow electronic health information from such technology to be accessed, exchanged, and used without special effort through the use of APIs or successor technology or standards, as provided for under applicable law, including providing access to all data elements of a patient’s electronic health record to the extent permissible under applicable privacy laws.
   2. Transparency conditions—
      1. Complete business and technical documentation. A Certified API Developer must publish complete business and technical documentation, including the documentation described in paragraph (a)(2)(ii) of this section, via a publicly accessible hyperlink that allows any person to directly access the information without any preconditions or additional steps.
      2. Terms and conditions—
         1. Material information. A Certified API Developer must publish all terms and conditions for its certified API technology, including any fees, restrictions, limitations, obligations, registration process requirements, or other similar requirements that would be:
            1. Needed to develop software applications to interact with the certified API technology;
            2. Needed to distribute, deploy, and enable the use of software applications in production environments that use the certified API technology;
            3. Needed to use software applications, including to access, exchange, and use electronic health information by means of the certified API technology;
            4. Needed to use any electronic health information obtained by means of the certified API technology;
            5. Used to verify the authenticity of API Users; and
            6. Used to register software applications.
         2. API fees. Any and all fees charged by a Certified API Developer for the use of its certified API technology must be described in detailed, plain language. The description of the fees must include all material information, including but not limited to:
            1. The persons or classes of persons to whom the fee applies;
            2. The circumstances in which the fee applies; and
            3. The amount of the fee, which for variable fees must include the specific variable(s) and methodology(ies) that will be used to calculate the fee.
   3. Fees conditions—
      1. General conditions.
         1. All fees. All fees related to certified API technology not otherwise permitted by this section are prohibited from being imposed by a Certified API Developer. The permitted fees in paragraphs (a)(3)(ii) and (iv) of this section may include fees that result in a reasonable profit margin in accordance with § 171.302.
         2. Permitted fees. For all permitted fees, a Certified API Developer must:
            1. Ensure that such fees are based on objective and verifiable criteria that are uniformly applied to all similarly situated API Information Sources and API Users;
            2. Ensure that such fees imposed on API Information Sources are reasonably related to the Certified API Developer’s costs to supply certified API technology to, and if applicable, support certified API technology for, API Information Sources;
            3. Ensure that such fees to supply and, if applicable, support certified API technology are reasonably allocated among all similarly situated API Information Sources; and
            4. Ensure that such fees are not based on whether API Information Sources or API Users are competitors, potential competitors, or will be using the certified API technology in a way that facilitates competition with the Certified API Developer.
         3. Prohibited fees. A Certified API Developer is prohibited from charging fees for the following:
            1. Costs associated with intangible assets other than actual development or acquisition costs of such assets;
            2. Opportunity costs unrelated to the access, exchange, or use of electronic health information; and
            3. The permitted fees in this section cannot include any costs that led to the creation of intellectual property if the actor charged a royalty for that intellectual property pursuant to § 171.303 and that royalty included the development costs for the creation of the intellectual property.
         4. Record-keeping requirements. A Certified API Developer must keep for inspection detailed records of any fees charged with respect to the certified API technology, the methodology(ies) used to calculate such fees, and the specific costs to which such fees are attributed.
      2. Permitted fee – development, deployment, and upgrades. A Certified API Developer is permitted to charge fees to an API Information Source to recover the costs reasonably incurred by the Certified API Developer to develop, deploy, and upgrade certified API technology.
      3. Permitted fee – recovering API usage costs. A Certified API Developer is permitted to charge fees to an API Information Source related to the use of certified API technology. The fees must be limited to the recovery of incremental costs reasonably incurred by the Certified API Developer when it hosts certified API technology on behalf of the API Information Source.
      4. Permitted fee – value-added services. A Certified API Developer is permitted to charge fees to an API User for value-added services related to certified API technology, so long as such services are not necessary to efficiently and effectively develop and deploy production-ready software that interacts with certified API technology.
   4. Openness and pro-competitive conditions; general condition. A Certified API Developer must grant an API Information Source the independent ability to permit an API User to interact with the certified API technology deployed by the API Information Source.
      1. Non-discrimination.
         1. A Certified API Developer must provide certified API technology to an API Information Source on terms that are no less favorable than it provides to itself and its own customers, suppliers, partners, and other persons with whom it has a business relationship.
         2. The terms on which a Certified API Developer provides certified API technology must be based on objective and verifiable criteria that are uniformly applied to all substantially similar or similarly situated classes of persons and requests.
         3. A Certified API Developer must not offer different terms or services based on:
            1. Whether a competitive relationship exists or would be created;
            2. The revenue or other value that another party may receive from using the API technology.
      2. Rights to access and use certified API technology—
         1. Rights that must be granted. A Certified API Developer must have and, upon request, must grant to API Information Sources and API Users all rights that may be reasonably necessary to:
            1. Access and use the Certified API Developer’s certified API technology in a production environment;
            2. Develop products and services that are designed to interact with the Certified API Developer’s certified API technology; and
            3. Market, offer, and distribute products and services associated with the Certified API Developer’s certified API technology.
         2. Prohibited conduct. A Certified API Developer is prohibited from conditioning the receipt of the rights described in paragraph (a)(4)(ii)(A) of this section on:
            1. Receiving a fee, including but not limited to a license fee, royalty, or revenue-sharing arrangement;
            2. Agreeing to not compete with the Certified API Developer in any product, service, or market;
            3. Agreeing to deal exclusively with the Certified API Developer in any product, service, or market;
            4. Obtaining additional licenses, products, or services that are not related to or can be unbundled from the certified API technology;
            5. Licensing, granting, assigning, or transferring any intellectual property to the Certified API Developer;
            6. Meeting any Certified API Developer-specific testing or certification requirements; and.
            7. Providing the Certified API Developer or its technology with reciprocal access to application data.
      3. Service and support obligations. A Certified API Developer must provide all support and other services reasonably necessary to enable the effective development, deployment, and use of certified API technology by API Information Sources and API Users in production environments.
         1. Changes and updates to certified API technology. A Certified API Developer must make reasonable efforts to maintain the compatibility of its certified API technology and to otherwise avoid disrupting the use of certified API technology in production environments.
         2. Changes to terms and conditions. Except as exigent circumstances require, prior to making changes to its certified API technology or the terms and conditions thereof, a Certified API Developer must provide notice and a reasonable opportunity for API Information Sources and API Users to update their applications to preserve compatibility with certified API technology and to comply with applicable terms and conditions.
2. Maintenance of certification requirements—
   1. Authenticity verification and registration for production use. The following apply to a Certified API Developer with a Health IT Module certified to one or more of § 170.315(g)(10), (31), and (33):
      1. Authenticity verification. A Certified API Developer is permitted to institute a process to verify the authenticity of API Users so long as such process is objective and the same for all API Users and completed within ten business days of receipt of an API User’s request to register their software application for use with the Certified API Developer’s Health IT Module certified to § 170.315(g)(10), (g)(31), and (g)(33).
      2. Registration for production use. A Certified API Developer must register and enable all applications for production use within five business days of completing its verification of an API User’s authenticity, pursuant to paragraph (b)(1)(i) of this section.
   2. Service base URL publication. For all Health IT Modules certified to § 170.315(g)(10), a Certified API Developer must publish, at no charge, the service base URLs and related organization details that can be used by patients to access their electronic health information, by December 31, 2024. This includes all customers regardless of whether the Health IT Modules certified to § 170.315(g)(10) are centrally managed by the Certified API Developer or locally deployed by an API Information Source. These service base URLs and organization details must conform to the following:
      1. Service base URLs must be publicly published in Endpoint resource format according to the standard adopted in § 170.215(a).
      2. Organization details for each service base URL must be publicly published in Organization resource format according to the standard adopted in § 170.215(a). Each Organization resource must contain:
         1. A reference, in the Organization endpoint element, to the Endpoint resources containing service base URLs managed by this organization.
         2. The organization’s name, location, and facility identifier.
      3. Endpoint and Organization resources must be:
         1. Collected into a Bundle resource formatted according to the standard adopted in § 170.215(a) for publication; and
         2. Reviewed quarterly and, as necessary, updated.
   3. Rollout of (g)(10)-certified APIs. A Certified API Developer with certified API technology previously certified to the certification criterion in § 170.315(g)(8) must provide all API Information Sources with such certified API technology deployed with certified API technology certified to the certification criterion in § 170.315(g)(10) by no later than December 31, 2022.
   4. Compliance for existing certified API technology. By no later than April 5, 2021 a Certified API Developer with Health IT Module(s) certified to the certification criteria in § 170.315(g)(7), (8), or (9) must comply with paragraph (a) of this section, including revisions to their existing business and technical API documentation and make such documentation available via a publicly accessible hyperlink that allows any person to directly access the information without any preconditions or additional steps.
3. Definitions. The following definitions apply to this section:
   • API Information Source means an organization that deploys certified API technology created by a “Certified API Developer;”
   • API User means a person or entity that creates or uses software applications that interact with the “certified API technology” developed by a “Certified API Developer” and deployed by an “API Information Source;”
   • Certified API Developer means a health IT developer that creates the “certified API technology.” 
   • Certified API technology means the capabilities of Health IT Modules that are certified to any of the API-focused certification criteria adopted in § 170.315(g)(7) through (10), and (31) through (33).

Paragraph (b)(2)(i) – (iii)
§ 170.215(a) HL7® Fast Healthcare Interoperability Resources (FHIR®) Release 4.0.1

Clarifications:

• The Conditions and Maintenance of Certification requirements only apply to practices of Certified API Developers with respect to the capabilities included in § 170.315(g)(7) through (10), and (31) through (g)(33) unless otherwise specified.

Clarifications:

• The regulation text at 45 CFR 170.404 includes the phrase “unless otherwise specified in this section” to enable the Certification Program to specify requirements in different subparagraphs pertain to different API-based certification criteria. Not all requirements in 45 CFR 170.404 are relevant or would be appropriate for all API-based certification criteria. For example, the service base URL publication requirement at 45 CFR 170.404(b)(2) is not implicated by certification to 45 CFR 170.315(g)(31), (g)(32), and (g)(33). [90 FR 37178]
• The data required and that must be supported to demonstrate conformance to the final § 170.315(g)(10) certification criterion (including all of its associated standards and implementation specifications) constitutes “all data elements of a patient’s electronic health record to the extent permissible under applicable privacy laws.”

Clarifications:

• This provision of the Condition of Certification requirements does not prohibit additional content or limit the type of content a Certified API Developer may include in its terms and conditions. A Certified API Developer would be permitted to include consumer protections in its terms and conditions documentation.
• As part of the requirements at § 170.315(g)(10)(v)(A)(1)(iii), Certified Health IT Developers must publish the method(s) by which their Health IT Modules support the secure issuance of an initial refresh token to native applications according to the technical documentation requirements at § 170.315(g)(10)(viii) and transparency conditions at § 170.404(a)(2). 

Clarifications:

• Certified API Developers and API Users have the ability to collaborate and form relationships, so long as these relationships do not conflict with any of the provisions of the ONC Cures Act Final Rule or other applicable federal and state laws and regulations.
• While the permitted fees set the boundaries for the fees Certified API Developers are permitted to charge and to whom those permitted fees can be charged, they do not prohibit who may pay the Certified API Developer’s permitted fee. In other words, these conditions limit the party from which a Certified API Developer may require payment, but they do not speak to who may pay the fee.
• Fees charged for “value-added services” can arise between an API Information Source and Certified API Developer or API User.
• Fees charged must be based on objective and verifiable criteria that are uniformly applied to all similarly situated API Information Sources and API users. The requirement of objective and verifiable criteria to determine the application of fees to “similarly situated” API Information Sources and API Users is meant to prevent one customer or a specific group of customers to whom the certified API technology is supplied or for whom it is supported from bearing an unreasonably high cost compared to other customers, which could lead to “special effort” for accessing and using APIs (85 FR 25753).
• Discounted fees, or other fee calculation methodologies, used for the licensing or selling of certified API technology are not prohibited under the ONC Health IT Certification Program so long as they result in fees that meet all the requirements of 45 CFR 170.404(a)(3) in the context of the ONC Health IT Certification Program.
• Non-exhaustive examples of fees for services that Certified API Developers would be prohibited from charging:
  • Any fee for access to the documentation that a Certified API Developer is required to publish or make available under this Condition of Certification requirement.
  • Any fee for access to other types of documentation or information that a software developer may reasonably require to make effective use of certified API technology for any legally permissible purpose.
  • Any fee in connection with any services that would be essential to a developer or other person’s ability to develop and commercially distribute production-ready applications that use certified API technology. These services could include, for example, access to “test environments” and other resources that an application developer would need to efficiently design and develop apps. The services could also include access to distribution channels if they are necessary to deploy production-ready software and to production resources, such as the information needed to connect to certified API technology (e.g., service base URLs) or the ability to dynamically register with an authorization server.
• Fees for requirements beyond what a Certified API Developer considers necessary to successfully deploy applications in production are considered supplemental to the development, testing, and deployment of software applications that interact with certified API technology, and can be classified as permitted fees for value-added services as finalized in § 170.404(a)(3)(iv).
• The API Condition and Maintenance of Certification covers a narrower scope of potential fees than are included under information blocking. The fees in this Condition and Maintenance of Certification requirement are specific to certified API technology while the fees considered in information blocking relate to the access, exchange, or use of EHI regardless of the particular technology used.

Clarifications:

• The nature of the costs charged under § 170.404(a)(3)(ii) depends on the scope of the work to be undertaken by a Certified API Developer (i.e., how much or how little labor an API Information Source requires of the Certified API Developer to deploy and upgrade the certified API technology).
• Regarding the “development, deployment, and upgrades” described in § 170.404(a)(3)(ii), while we understand that there is overlap between features of the certified API technology and the “broader EHR product,” we refer specifically to development, deployment, and upgrades made to “certified API technology” as defined in § 170.404(c). Namely, development, deployment, and upgrades made to the capabilities of Certified Health IT Modules that fulfill the API-focused certification criteria adopted at § 170.315(g)(7) through (10).
• Regarding the use of the term “developing” in § 170.404(a)(3)(ii), fees for “developing” certified API technology comprise the Certified API Developer’s costs of designing, developing, and testing certified API technology. Fees for developing certified API technology must not include the Certified API Developer’s costs of updating the non-API related capabilities of the Certified API Developer’s existing Health IT Modules, including its databases, as part of its development of the certified API technology. These costs are typically connected to past business decisions made by the Certified API Developer and typically arise due to Health IT Modules being designed or implemented in nonstandard ways that unnecessarily increase the complexity, difficulty or burden of accessing, exchanging, or using EHI.
• Regarding the use of the term “deploying” in § 170.404(a)(3)(ii), a Certified API Developer’s fees for “deploying” certified API technology comprise the Certified API Developer’s costs of operationalizing certified API technology in a production environment. Such fees include, but are not limited to, standing up hosting infrastructure, software installation and configuration, and the creation and maintenance of API Information Source administrative functions. Fees for “deploying” certified API technology do not include the costs associated with managing the traffic of API calls that are used to access the certified API technology, which a Certified API Developer can only recover under the permitted fee for usage support costs (§ 170.404(a)(3)(iii)). We emphasize that for the purpose of this Condition of Certification, we consider that certified API technology is “deployed” by the customer—the API Information Source—that purchased or licensed it.
• Regarding the use of the term “upgrading” in § 170.404(a)(3)(ii), a Certified API Developer’s fees for “upgrading” certified API technology comprise the Certified API Developer’s costs of supplying an API Information Source with an updated version of certified API technology. Such costs would include the costs required to bring certified API technology into conformity with new requirements of the Certification Program, upgrades to implement general software updates (not otherwise covered by development fees or under warranty), or developing and releasing newer versions of the certified API technology at the request of an API Information Source. The nature of the costs that can be charged under this category of permitted fees depends on the scope of the work undertaken by a Certified API Developer (i.e., how much or how little labor an API Information Source requires of the Certified API Developer to upgrade the certified API technology being supplied from one version or set of functions to the next).
• Should API Users generate revenue from the use of their apps, any fee an API Information Source may impose would not be in scope for this Condition and Maintenance of Certification, but could be covered by the information blocking provisions. Accordingly, we emphasize that such stakeholders should take care to ensure they are compliant with the information blocking provisions and other federal and state laws and regulations that may prohibit or limit certain types of relationships involving remuneration.

Clarifications:

• “Usage-based” fees are fees imposed by a Certified API Developer to recover costs typically incurred for supporting API interactions at increasing volumes and scale within established service levels. That is, “usage-based” fees recover costs incurred by a Certified API Developer due to the actual use of the certified API technology once it has been deployed (e.g., costs to support a higher volume of traffic, data, or number of apps via the certified API technology).
• A Certified API Developer’s “incremental costs” comprise the Certified API Developer’s costs that are directly attributable to supporting API interactions at increasing volumes and scale within established service levels.
• A Certified API Developer should “price” its costs of supporting access to the certified API technology by reference to the additional costs that the Certified API Developer would incur in supporting certain volumes of API use.
• Usage fees for certified API technology will only apply when the Certified API Developer acts on behalf of the API Information Source to deploy its certified API technology. In scenarios where the API Information Source, such as a large hospital system, assumes full responsibility for the technical infrastructure necessary to deploy and host the certified API technology it has acquired, the volume and scale of its usage would be the API Information Source’s sole responsibility, and a Certified API Developer would not be permitted to charge usage-based fees.
• The costs recovered under “usage-based” fees can only reflect “post-deployment” costs. As such, “usage-based” fees cannot include any costs necessary to prepare and “get the certified API technology up, running, and ready for use,” which are costs that must be recovered as part of the deployment services delivered by the Certified API Developer if permitted under § 170.404(a)(3)(ii).
• We clarify that API usage fees related to API “read” services for multiple patients would be calculated using a similar methodology to calculate API usage fees related to API “read” services for single patients. These “usage-based” fees are fees imposed by a Certified API Developer to recover the costs typically incurred to support API interactions for API “read” services for multiple patients once these services have been deployed. This could include, but not be limited to, costs to support a higher volume of traffic, data, or number of apps via the certified API technology (which could include higher costs for hardware, including server space).

Clarifications:

• We clarify that the value-added services need to be provided in connection with and supplemental to the development, testing, and deployment of production-ready software applications that interact with certified API technology. A fee is permitted if it relates to a service that a software developer can elect to purchase from a Certified API Developer, but is not required to purchase in order to develop and deploy production-ready apps for certified API technology.
• We note that examples used to illustrate when a fee would or would not qualify as a “value-added service,” such as app store listing, are demonstrative, but not required unless otherwise noted in the regulation text.
• We permit fees for services associated with the listing and promotion of apps beyond basic application placement so long as the Certified API Developer ensures that basic access and listing in the app store is provided free of charge (if an application developer depended on such listing to efficiently and effectively develop and deploy production-ready apps for use with certified API technology).
• To the degree that a Certified Health IT Developer offers value-added services associated with certified API technology, the Condition of Certification covers its practices related to certified API technology only. Conversely, this Condition of Certification would not apply to any practices that do not involve certified API technology.

Clarifications:

• For the requirement that a Certified API Developer must provide notice and a reasonable opportunity for API Information Sources and API Users to update their applications to preserve compatibility with certified API technology and to comply with applicable terms and conditions, we note that the notice could include a public notice made available on a website, but also encourage Certified API Developers to contact API Information Source customers and registered API Users (application developers) directly prior to updating business and technical documentation.
• For third-party applications chosen by individuals to facilitate their access to their electronic health information (EHI) held by actors, there would not be a need for a business associate agreement  as discussed in the ONC Cures Act Final Rule. There would also generally not be a need for “vetting” on security grounds and such vetting actions otherwise would be an interference.
• We clarify that this rule does not prohibit Certified API Developers from forming business relationships with API Users.
• Application developer affirmations to health IT developers regarding the ability of their applications to secure a refresh token, a client secret, or both, must be treated in a good faith manner consistent with the provisions established in the openness and pro-competitive conditions at § 170.404(a)(4).
• The technical requirements to support patient authorization of apps to access their data in § 170.315(g)(10)-certified API technology are described in § 170.315(g)(10)(v)(A) and require conformance to the HL7^® SMART App Launch Implementation Guide using the OAuth 2.0 framework. Certified Health IT Developers must make these patient authorization capabilities available in their § 170.315(g)(10)-certified APIs according to the general access requirements at § 170.404(a)(1), and openness and pro-competitive conditions at § 170.404(a)(4). Under these collective Program requirements, any individual can authorize apps of their choice to receive their health data without any additional or out-of-band steps, or any other preconditions.

Clarifications:

• This requirement applies to a Certified API Developer with a Health IT Module certified to one or more of the certification criteria adopted in § 170.315(g)(10), (31), and (33).
• The authenticity verification process finalized in § 170.404(b)(1)(i) is optional, but if instituted, the authenticity verification process must be completed within 10 business days.
• Application registration is a technical requirement described in § 170.404(b)(1) that includes requirements for authenticity verification and registration for production use, which are necessary for third-party applications (“apps”) to be able to connect to certified API technology. While Certified API Developers are permitted to institute a process to verify the authenticity of a third-party app developer, this process must be completed within 10 business days of receipt of a registration request. Subsequently, registration for production use must be completed within 5 business days after completing the aforementioned verification process. After registration is completed, a Certified API Developer must grant access and use of its certified API technology to the app in a production environment as required by § 170.404(a)(4)(ii)(A)(1).

Clarifications:

• Certified API Developers must publish in accordance with the requirements at § 170.404(b)(2) the service base URLs and related organization details that can be used by patients to access their EHI for Health IT Modules certified to § 170.315(g)(10) by December 31, 2024.
• As discussed in section VIII.C.6.c of the ONC Cures Act Final Rule, API Information Sources who locally manage their Fast Healthcare Interoperability Resources (FHIR^®) servers without Certified API Developer assistance cannot refuse to provide to Certified API Developers the FHIR^® service base URL(s) that is/are necessary for patients to use to access their EHI. Equally, pursuant to this Maintenance of Certification requirement, they would be required to publish the FHIR^® service base URLs they centrally manage on behalf of API Information Sources.
• To be open and transparent to the public, developers must provide a hyperlink to the FHIR^® Bundle of service base URLs and related organization details to be published with the § 170.315(g)(10)-certified product on the ONC Certified Health IT Product List (CHPL).
• Facility level identifiers, for the purposes of certification to these publication requirements, include identifiers such as: a National Provider Identifier (NPI), Clinical Laboratory Improvement Amendments (CLIA) number, CMS Certification Number (CCN), or other health system ID. Support for one of these identifier types is sufficient, meaning Certified API Developers are not, for example, required to publish individual NPIs as a floor for certification. Different identifiers may be used depending on the customers a Certified API Developer has. [see 89 FR 1288]
• Certified API Developers have the flexibility to consider using “Organization” and “Endpoint” FHIR^® resources profiles, such as the profiles in the User-access Brands and Endpoints specification or Validated Healthcare Directory IG. [see 89 FR 1287]
• Certified API Developers can utilize the “Organization.partOf” data element in the FHIR “Organization” resource to represent parent/child organization relationships that make up organization hierarchies. A child organization may use the same service base URL (i.e., FHIR endpoint) as its parent organization. For the purposes of Certification Program service base URL publication requirements, it is not required that a child “Organization” resource include an “Organization.endpoint” element if its parent “Organization” resource, referenced through the “Organization.partOf” element, already contains the applicable endpoint information in its own “Organization.endpoint” element.
• For the time period between when the HTI-1 final rule is effective and December 31, 2024, Certified API Developers may fulfill their obligations at §170.404(b)(2) by publicly publishing the service base URLs for all customers in a machine-readable format at no charge. [see 89 FR 1287]

Clarifications:

• There are no additional clarifications.

Clarifications:

• There are no additional clarifications.

Clarifications:

• API Users can include, but are not limited to, software developers, patients, health care providers, and payers.
• A person or entity is permitted to serve more than one role for the terms defined in § 170.404(c).
• Stakeholders meet the definition of a term defined in § 170.404(c) based on the context in which they are acting.