Da Vinci Payer Data exchange Implementation Guide Release 0.1.0

This page is part of the Da Vinci Payer Data Exchange (v0.1.0: STU 1 Ballot 1) based on FHIR R4. The current version which supercedes this version is 1.0.0. For a full list of available versions, see the Directory of published versions

7 Member-Authorized OAuth2 Exchange

This IG provides a mechanism for Member-authorized exchange of their Health History:

  • From an old Health Plan to a new Health Plan
  • From their Health Plan to a third-party application of the member’s choice.

The authorization method uses the OAuth 2.0 protocol to issue a token to an authorized application or service. The authorized application can then use the token to enable interaction with the FHIR REST API.

When a Member is authorizing sharing of the Member Health History with another Health Plan or a Third Party Application via the OAuth 2.0 protocol the Health Plan that is operating the API MAY offer the Member an option to restrict the sharing of sensitive information, such as behavioral health data, resulting in the data being shared excluding sensitive data that is covered by state and/or federal regulations. However, under the HIPAA right of access the Member is at liberty to share that information if they so wish.

The well defined mechanism for enabling Member/Patient authorization to share information with an application using the FHIR API is to use OAuth2.0 as the Authorization protocol. The member SHALL authenticate using credentials they have been issued with by the Health Plan. This is typically the member’s customer portal credentials.

After authenticating the Member SHALL be presented with an Authorization screen that enables them to approve the sharing of information with the Third Party, or new Health Plan, Application that has client application credentials registered with the Health Plan.

The Authorization screen MAY provide options to allow the Member to limit the information that is shared with the application. For example, this MAY enable the Member to withhold their demographic or behavioral health information.

After successfully authorizing an application an Access Token and Optional Refresh Token SHALL be returned to the requesting application.

The requesting application SHALL use the access token to access the Health Plan’s secure FHIR API to download the information that the Member is allowed to access.

Applications are registered with the API Endpoint. The application owner MAY be:

  • Another Health Plan
  • An Independent developer, such as a Personal Health Record application developer
  • Another Covered Entity, such as a Provider.