Client Application Management

Type	Standard / Implementation Specification	Standards Process Maturity	Implementation Maturity	Adoption Level	Federally required	Cost	Test Tool Availability
Emerging Standard	HL7® FHIR® SMART App Launch Implementation Guide (SMART App Launch IG)	Final	Production	Feedback Requested	No	Free	Yes
Emerging Implementation Specification	UDAP Security for Scalable HL7® FHIR® FAST UDAP Security for Scalable Registration, Authentication, and Authorization Implementation Guide	Balloted Draft	Feedback requested	Feedback Requested	No	Free	No
Emerging Implementation Specification	UDAP Dynamic Client Registration	Balloted Draft	Feedback requested	Feedback Requested	No	Free	No
Emerging Implementation Specification	UDAP JWT-Based Client Authentication	In Development	Feedback requested	Feedback Requested	No	Free	No
Emerging Implementation Specification	UDAP Client Authorization Grants	In Development	Feedback requested	Feedback Requested	No	Free	No

FFAP icon = Federal FHIR Action Plan: Marks standards for coordinated federal adoption. See Appendix V: Federal FHIR Action Plan for more details.

Federal FHIR Action Plan Alignment
HL7® FHIR® SMART App Launch Implementation Guide (SMART App Launch IG) This implementation specification specifies how applications connect to FHIR APIs by requesting authorization from OAuth 2.0-compliant authorization servers. It outlines the process by which an application requests authorization to access a FHIR resource and subsequently uses that authorization to retrieve the resource. There are multiple versions of the SMART App Launch IG, all of which are compatible with FHIR Release 4 (R4). Historically, ASTP has adopted different versions of the SMART App Launch IG based on publication timing. Currently, ASTP has identified Version 2.0.0 as ready for adoption in Certified Health IT under the ASTP HTI-1 Final Rule. Certified Health IT developers typically adopt the version specified in program requirements or the version approved by the National Coordinator through ASTP’s Standards Version Advancement Process (SVAP). The SMART App Launch IG facilitates a persistent application authorization process and adds a security layer to FHIR API deployments, addressing both FHIR server and FHIR application perspectives. This makes the SMART App Launch IG a foundational specification for any FHIR API implementation requiring secure access to FHIR Resources. Referenced in Federal Rulemaking: ASTP HTI-1 Final Rule; CMS Interoperability and Prior Authorization Final Rule (CMS-0057-F) UDAP Security for Scalable HL7® FHIR® FAST UDAP Security for Scalable Registration, Authentication, and Authorization Implementation Guide This implementation specification extends OAuth 2.0 to standardize and automate the application registration process using digital certificates, while securely authenticating participants within health information networks. This specification is compatible with the SMART App Launch IG and aligns with the security requirements of the Bulk Data IG. ASTP has identified Version 1.0.0 of the FAST UDAP Security IG as ready for adoption in Certified Health IT. While its use is currently optional within the Trusted Exchange Framework and Common Agreement™ (TEFCA™), it is expected to become a requirement in the future. The FAST UDAP Security IG provides a standardized method for dynamically registering applications through secure FHIR APIs. Implementers should consider adopting this specification for use cases requiring scalable trust among participants who agree to follow common policies, eliminating the need for individual agreements between organizations to establish trust. ASTP anticipates that this specification will continue to evolve and mature based on implementation experience within TEFCA™.

Federal FHIR Action Plan Alignment

HL7® FHIR® SMART App Launch Implementation Guide (SMART App Launch IG)

This implementation specification specifies how applications connect to FHIR APIs by requesting authorization from OAuth 2.0-compliant authorization servers. It outlines the process by which an application requests authorization to access a FHIR resource and subsequently uses that authorization to retrieve the resource.
There are multiple versions of the SMART App Launch IG, all of which are compatible with FHIR Release 4 (R4). Historically, ASTP has adopted different versions of the SMART App Launch IG based on publication timing. Currently, ASTP has identified Version 2.0.0 as ready for adoption in Certified Health IT under the ASTP HTI-1 Final Rule. Certified Health IT developers typically adopt the version specified in program requirements or the version approved by the National Coordinator through ASTP’s Standards Version Advancement Process (SVAP).
The SMART App Launch IG facilitates a persistent application authorization process and adds a security layer to FHIR API deployments, addressing both FHIR server and FHIR application perspectives. This makes the SMART App Launch IG a foundational specification for any FHIR API implementation requiring secure access to FHIR Resources.
Referenced in Federal Rulemaking: ASTP HTI-1 Final Rule; CMS Interoperability and Prior Authorization Final Rule (CMS-0057-F)

UDAP Security for Scalable HL7® FHIR® FAST UDAP Security for Scalable Registration, Authentication, and Authorization Implementation Guide

This implementation specification extends OAuth 2.0 to standardize and automate the application registration process using digital certificates, while securely authenticating participants within health information networks. This specification is compatible with the SMART App Launch IG and aligns with the security requirements of the Bulk Data IG.
ASTP has identified Version 1.0.0 of the FAST UDAP Security IG as ready for adoption in Certified Health IT. While its use is currently optional within the Trusted Exchange Framework and Common Agreement™ (TEFCA™), it is expected to become a requirement in the future.
The FAST UDAP Security IG provides a standardized method for dynamically registering applications through secure FHIR APIs. Implementers should consider adopting this specification for use cases requiring scalable trust among participants who agree to follow common policies, eliminating the need for individual agreements between organizations to establish trust.
ASTP anticipates that this specification will continue to evolve and mature based on implementation experience within TEFCA™.

Limitations, Dependencies, and Preconditions for Consideration	Applicable Security Patterns for Consideration
The HL7 FHIR SMART Application Launch Framework Implementation Guide Release 2.0.0 is a newer version of the standard that is available for health IT developers to voluntarily update and provide to their customers. It became available when it was added to the Approved Standards for 2022 through ASTP's Standards Version Advancement Process (SVAP). Since FHIR transactions require the use of a FHIR client, client application registration and management is an integral component for apps using FHIR. UDAP Dynamic Client Registration provides an extension to RFC 7591 to better scale the registration and use of FHIR client apps. This profile has seen interest from numerous industry stakeholders as an alternative to manually re-registering apps at every different datasource and as a way to enable sharing of information about apps among datasources. Trusted Dynamic Client Registration provides a path for verification of attributes for apps holding valid digital certificates and the communication of these attributes (e.g. privacy policy) to the end user, increasing confidence in valid FHIR clients within the ecosystem and facilitating the connection of apps to clinical FHIR servers without manual pre-registration. This can be used together with UDAP JWT-based Client Authentication to support reusable client identity for authentication and authorization, to help scale the use of client credentials or authorization code flow, and UDAP JWT-based Client Authorization Grants can be used to transmit Purpose of Use and Consent Information. UDAP is an open collaborative developing profiles to increase scalability, confidence, security, and trust in Open API ecosystems, and allows the re-use of identity proofing and credentialing processes already in place in existing national health information networks. These profiles are in draft status and are in pilot stage. UDAP DCR and Authentication/Authorization have been tested successfully at several HL7 FHIR connectathons and have received positive feedback from multiple stakeholders, including national health information networks, EHR vendors, patient privacy rights advocates, and app developers. These profiles are also compatible with SMART App Launch and UMA. The Security FHIR IG has been established upon the recommendations of ASTP's FHIR at Scale Taskforce (FAST) Security Tiger Team, and has been adapted from IGs previously published by UDAP.org. The objective of the IG is to harmonize workflows for both consumer-facing and B2B applications to facilitate cross-organizational and cross-network interoperability.	System Authentication – The information and process necessary to authenticate the systems involved. User Authentication – The information and process necessary to authenticate the end user. User Details – Identifies the end user who is accessing the data. User Role – Identifies the roles and clearances asserted by the individual initiating the transaction for purposes of authorization. E.g., the system must verify the initiator’s claims and match them against the security labels for the functionalities that the user attempts to initiate and the objects the user attempts to access. Purpose of Use – Identifies the purpose for the transaction, and for the purposes for which the end user intends to use the accessed objects. Patient Consent Information – Identifies the patient consent information that may be required before data can be accessed. May be required to authorize any exchange of patient information May be required to authorized access and use of patient information May be required to be sent along with disclosed patient information to advise the receiver about policies to which end users must comply Query Request ID - Query requesting application assigns a unique identifier for each query request in order to match the response to the original query. Security Labeling – The health information is labeled with security metadata necessary for access control by the end user.

Limitations, Dependencies, and Preconditions for Consideration

Applicable Security Patterns for Consideration

The HL7 FHIR SMART Application Launch Framework Implementation Guide Release 2.0.0 is a newer version of the standard that is available for health IT developers to voluntarily update and provide to their customers. It became available when it was added to the Approved Standards for 2022 through ASTP's Standards Version Advancement Process (SVAP).
Since FHIR transactions require the use of a FHIR client, client application registration and management is an integral component for apps using FHIR.
UDAP Dynamic Client Registration provides an extension to RFC 7591 to better scale the registration and use of FHIR client apps. This profile has seen interest from numerous industry stakeholders as an alternative to manually re-registering apps at every different datasource and as a way to enable sharing of information about apps among datasources.
Trusted Dynamic Client Registration provides a path for verification of attributes for apps holding valid digital certificates and the communication of these attributes (e.g. privacy policy) to the end user, increasing confidence in valid FHIR clients within the ecosystem and facilitating the connection of apps to clinical FHIR servers without manual pre-registration. This can be used together with UDAP JWT-based Client Authentication to support reusable client identity for authentication and authorization, to help scale the use of client credentials or authorization code flow, and UDAP JWT-based Client Authorization Grants can be used to transmit Purpose of Use and Consent Information.
UDAP is an open collaborative developing profiles to increase scalability, confidence, security, and trust in Open API ecosystems, and allows the re-use of identity proofing and credentialing processes already in place in existing national health information networks. These profiles are in draft status and are in pilot stage. UDAP DCR and Authentication/Authorization have been tested successfully at several HL7 FHIR connectathons and have received positive feedback from multiple stakeholders, including national health information networks, EHR vendors, patient privacy rights advocates, and app developers. These profiles are also compatible with SMART App Launch and UMA.
The Security FHIR IG has been established upon the recommendations of ASTP's FHIR at Scale Taskforce (FAST) Security Tiger Team, and has been adapted from IGs previously published by UDAP.org. The objective of the IG is to harmonize workflows for both consumer-facing and B2B applications to facilitate cross-organizational and cross-network interoperability.

System Authentication – The information and process necessary to authenticate the systems involved.
User Authentication – The information and process necessary to authenticate the end user.
User Details – Identifies the end user who is accessing the data.
User Role – Identifies the roles and clearances asserted by the individual initiating the transaction for purposes of authorization. E.g., the system must verify the initiator’s claims and match them against the security labels for the functionalities that the user attempts to initiate and the objects the user attempts to access.
Purpose of Use – Identifies the purpose for the transaction, and for the purposes for which the end user intends to use the accessed objects.
Patient Consent Information – Identifies the patient consent information that may be required before data can be accessed.
- May be required to authorize any exchange of patient information
- May be required to authorized access and use of patient information
- May be required to be sent along with disclosed patient information to advise the receiver about policies to which end users must comply
Query Request ID - Query requesting application assigns a unique identifier for each query request in order to match the response to the original query.
Security Labeling – The health information is labeled with security metadata necessary for access control by the end user.

Form Guide

1. Optional: Background Text / Cover Letter

The "Optional Background Text / Cover Letter" field provides space for additional context or introductory information related to your comment.

This field is entirely optional and serves the following purposes:

Provides context for reviewers
Serves as an introduction if submitting multiple comments
Functions as a cover letter for formal submissions

If you are submitting a single comment for a specific data class or element, you may leave this field blank. For multiple comments, this space is useful for explaining the overall purpose or connection between your comments.

Fig 1 The "Optional Background Text / Cover Letter" field allows users to provide contextual information or introductory remarks for their comment submission.

2. Complete the Comment Form

The comment form contains several fields that require your input:

ISA Content: This field is automatically populated based on the page you are currently viewing. No action is required.

Standards and Implementation Specifications: This drop-down menu is pre-selected based on the topic you're commenting on. The selection reflects the relevant standard or implementation specification for your current page.

Subject: Enter a concise title that summarizes the focus of your comment. This helps reviewers quickly understand the nature of your feedback.

Comment: This is the main field where you provide your detailed feedback, concerns, or suggestions. The comment box includes a text editor with formatting options that allow you to:

Format text as bold or italic
Insert hyperlinks
Create bullet points
Create numbered lists
Apply strike-through formatting
Attach images
Insert tables

Use these formatting options as needed to clearly present your information.

Fig 2 The comment text editor toolbar provides formatting options including bold, italic, links, lists, tables, and image insertion capabilities.

3. Optional: Add Additional Comments

If you need to provide feedback on multiple aspects of the ISA content, you can add additional comments:

After completing your first comment, locate and click the link labeled "Comment on another interoperability need" at the bottom of the form.
A new comment section will appear, allowing you to enter details for your additional comment.
For this new comment section, the "ISA Content" and "Standards and Implementation Specifications" fields will not be automatically populated. You must select the appropriate content and specification from the drop-down menus for each additional comment.
Complete all required fields for your additional comment.
Repeat this process for each additional comment you wish to submit.

Fig 3 The "Comment on another interoperability need" link enables users to add multiple comments within a single submission.

4. Optional: Upload Supporting Files

The platform allows you to upload supporting documentation to enhance your comment:

Locate the "File Upload" section at the bottom of the comment form.
Click to upload any files (such as PDFs or documents) that provide additional context, evidence, or clarification for your comment.

Important: If you have already entered your comments using the form fields, there is no need to upload duplicate content in PDF format. The file upload feature is intended for supplementary materials only. Please avoid uploading files that contain the same information already provided in your comment text.

Fig 4 The "File Upload" section permits users to attach supporting documentation that supplements their written comments.

5. Optional: Save and Exit

If you need to pause your work and return to complete your comment later:

Click the "Save and Exit" button at the bottom of the form.
Your comment will be saved as a draft that you can access and complete later.
When you return to the platform, you will see a red triangle with an exclamation mark next to the "Return to saved Comment" button, indicating that you have saved comments in draft status.
Click the "Return to saved Comment " button to continue working on your draft.
You will be taken to a review page where you can:
1. Select "Submit Comment" to officially submit your feedback.
2. Click "Edit" to return to the comment form and make changes
3. Select "Discard Draft" to delete the saved draft and start fresh

Fig 5 A red triangle with exclamation mark indicator appears next to the "Return to saved Comment" button when draft comments are saved in the system.

6. Review and Submit

Once you have completed your comment:

Click the "Review and Submit" button at the bottom of the form.
This will take you to a review screen displaying your comment(s) in full.
Review all information for accuracy and completeness.
On this review screen, you have three options:
1. Click "Submit Comment" to officially submit your feedback
2. Click "Edit" to return to the comment form and make changes
3. Click "Discard Draft" to delete the comment and start fresh
The review screen also includes a "Print" button that allows you to create a printed copy of your comments for your records.
If you choose to submit, your comment will be recorded in the system and made available for review by the appropriate stakeholders.

Fig 6 The review screen includes a "Print" button that allows users to create a record of their comment submission.

Client Application Management

Add a New Comment

Review comment and Submit

Comment

Client Application Management

Help

1. Optional: Background Text / Cover Letter

2. Complete the Comment Form

3. Optional: Add Additional Comments

4. Optional: Upload Supporting Files

5. Optional: Save and Exit

6. Review and Submit

ISA Comments

Add a New Comment

Review comment and Submit

Comment