InPracSysEHR uses OIDC compliant authorization for API. SSL is required and setting baseurl at SiteAdmin->FhirSetup->’Site Address (required for OAuth2 and FHIR)’ is required.
See Authorization for more details.
This will return the Capability Statement. Note this can be tested by going to the url GET ‘https://servicebackup.inpracsysehr.com:8443/metadata’ or sh curl -X GET ‘https://servicebackup.inpracsysehr.com:8443/metadata’
Provenance resources are requested by including _revinclude=Provenance:target in the search of a resource. Is currently supported for the following resources:
curl -X GET ‘https://servicebackup.inpracsysehr.com:8443/r4/AllergyIntolerance?_revinclude=Provenance:target’
An export operation that implements the BULK FHIR Export ONC requirements can be requested by issuing a GET request to the following endpoints:
curl -X GET ‘https://servicebackup.inpracsysehr.com:8443/r4/$export’
curl -X GET ‘https://servicebackup.inpracsysehr.com:8443/r4/Group/1/$export’
curl -X GET ‘https://servicebackup.inpracsysehr.com:8443/r4/Patient/$export’
You will get an empty body response with a Content-Location header with the URL you can query for status updates on the export.
To query the status update operation you need the system/*.$bulkdata-status scope. An example query:
curl -X GET ‘https://servicebackup.inpracsysehr.com:8443/r4/$bulkdata-status?job=92a94c00-77d6-4dfc-ae3b-73550742536d’
A status Query will return a result like the following:
You can download the exported documents which are formatted in Newline Delimited JSON (NDJSON) by making a call to: sh curl -X GET ‘https://servicebackup.inpracsysehr.com:8443/r4/Document/105232/Binary’
In order to download the documents you will need the system/Document.read scope.
InPracSysEHR supports the ability for 3rd party apps who implement the SMART on FHIR App Launch Implementation Guide 1.1.0 context.
3rd party Apps using the confidential app profile are auto enabled if they are strictly a patient standalone app. A patient standalone app is one that only requests patient only scopes such as patient/*. A provider or system app (requesting permissions such as launch, user/*, system/*, etc) must be authorized by the InPracSysEHR Server Installation Administrator. Access Tokens issued to 3rd party apps are only valid for one hour and must be renewed with a refresh token which is valid for greater than 3 months. Refresh tokens are only issued if offline_access scope is allowed at registration for an individual patient, and authorized by an InPracSys EHR user authenticating with InPracSys EHR through their 3rd party app.
For a patient to have access to their patient data via a 3rd party app they must have api credentials generated by their clinician from the patient demographics page. A patient must not have opted out of 3rd party API access.
InPracSysEHR does NOT support wildcard scopes (patient/. or patient/*.read). Scopes must be requested explicitly by an app at the time of registration. InPracSysEHR does not support adding scopes from the initial registration.
You can disable a client completely which prevents their access tokens from being used in the system from the Admin -> System -> API Clients interface. Edit the client registered in your system you wish to disable and hit the Disable button.
If you wish to revoke a user’s authorization for a particular client you will need to open up the API client from the Admin -> System -> API Clients interface. Once you are editing the client you will need to go to the Authenticated API Users section.
From there you can find the user that is listed and hit the Revoke User button (Note this can be a lengthy list so use your browser’s search text functionality to find the user).
You can revoke an access token two ways. One from the API Client edit screen, finding the client and then the access token’s identifier you wish to revoke.
The second way is if you have the fully encoded access token using the API Client Tools screen. Go to Admin->System->API Clients and then click on the Token Tools button. Paste in the entire encoded token and then select Parse Token. Information about the token will be displayed including the authenticated user that authorized the token. Now select the Revoke Token button to revoke the token. Additionally, at the patient’s direction the token will be revoked within 1 hour. A success message will be displayed when the revocation completes. You can parse the token again to see that the token has been revoked.
Interoperability requirements with InPracSysEHR for Native Applications
It is recommended that native applications follow best practices for native client applications as outlined in RFC 8252 OAuth 2.0 for Native Apps.
Like many RESTful APIs, the InPracSys FHIR API uses OAuth 2 for security. This means that when making calls to any resource with the InPracSys FHIR API, you must pass a Bearer token. This token is passed in the Authorization Header.
FHIR endpoints are of the formats /fhir/r4/{resource} where resource can be patient, allergytolerance, condition etc. which maps to endpoint of the InPracSysEHR FHIR controller which handles the request, and also handles the JSON data conversions.
At a high level, the request processing flow consists of the following steps:
JSON Request -> FHIR Controller Component -> FHIR Validation -> Parsing FHIR Resource -> Standard Service Component -> Validation -> Database
The logical response flow begins with the database result:
Database Result -> Service Component -> FHIR Service Component -> Parse InPracSysEHR Record -> FHIR Controller Component -> RequestControllerHelper -> JSON Response
A state-of-the-art, innovative and complete healthcare IT solution designed to help clinics excel.
This Health IT Module is compliant with the ONC Certification Criteria for Health IT and has been certified by an ONC-ACB in accordance with the applicable certification criteria adopted by the Secretary of Health and Human Services. This certification does not represent an endorsement by the U.S. Department of Health and Human Services.
Additional cost information can be found here.
© 2024 InPracSys. All rights reserved