U.S. Code of Federal Regulations

Regulations most recently checked for updates: Aug 27, 2025

All TitlesTitle 45Chapter APart 170Subpart B - Subpart B—Standards and Implementation Specifications for Health Information Technology
View all text of Subpart B [§ 170.200 - § 170.299]
§ 170.215 - Application Programming Interface Standards.
Link to an amendment published at 90 FR 37208, Aug. 4, 2025.

The Secretary adopts the following standards and associated implementation specifications as the available standards for application programming interfaces (API):

(a) API base standard. The following are applicable for purposes of standards-based APIs.

(1) Standard. HL7® Fast Healthcare Interoperability Resources (FHIR®) Release 4.0.1 (incorporated by reference, see § 170.299).

(2) [Reserved]

(b) API constraints and profiles. The following are applicable for purposes of constraining and profiling data standards.

(1) United States Core Data Implementation Guides—(i) Implementation specification. HL7® FHIR® US Core Implementation Guide STU 3.1.1 (incorporated by reference in § 170.299). The adoption of this standard expires on January 1, 2026.

(ii) Implementation Specification. HL7® FHIR® US Core Implementation Guide STU 6.1.0 (incorporated by reference, see § 170.299).

(2) [Reserved]

(c) Application access and launch. The following are applicable for purposes of enabling client applications to access and integrate with data systems.

(1) Implementation specification. HL7® SMART Application Launch Framework Implementation Guide Release 1.0.0, including mandatory support for the “SMART Core Capabilities” (incorporated by reference, see § 170.299). The adoption of this standard expires on January 1, 2026.

(2) Implementation specification. HL7® SMART App Launch Implementation Guide Release 2.0.0, including mandatory support for the “Capability Sets” of “Patient Access for Standalone Apps” and “Clinician Access for EHR Launch”; all “Capabilities” as defined in “8.1.2 Capabilities,” excepting the “permission-online” capability; “Token Introspection” as defined in “7 Token Introspection” (incorporated by reference, see § 170.299).

(d) Bulk export and data transfer standards. The following are applicable for purposes of enabling access to large volumes of information on a group of individuals.

(1) Implementation specification. FHIR® Bulk Data Access (Flat FHIR®) (v1.0.0: STU 1), including mandatory support for the “group-export” “OperationDefinition” (incorporated by reference, see § 170.299).

(2) [Reserved]

(e) API authentication, security, and privacy. The following are applicable for purposes of authorizing and authenticating client applications.

(1) Standard. OpenID Connect Core 1.0, incorporating errata set 1 (incorporated by reference, see § 170.299).

(2) [Reserved]

[89 FR 1428, Jan. 9, 2024]
© 2016 GovRegs | About | Disclaimer | Privacy