CARIN App Registration

From MgmtWiki
Revision as of 14:37, 6 June 2021 by Tom (talk | contribs)

Jump to: navigation, search

Full Title

This is a review of the CARIN Alliance - App Registration Implementation Guide dated 2021-06-01


  • The CARIN Alliance is a consortium of health information exchange organizations operated by Leavitt Partners.
  • The published the draft App Registration Implementation Guide on 2021-06-01'
  • The primary scope of the Guide concerns the app registration and patient authorization experiences.
  • The guide is focused on the adpotion of best practices and not on compliance.
  • The guide only accresses health data provided to the patient in FHIR format from an Electronic Health Record (EHR) from a HIPAA covered entity.
  • Under the final rule for the 21st Century Cures act, payers can only deny access to an application or developer to open APIs, including the patient acmes APIs, if these connections pose an unreasonable security risk to protected health information in their own systems.
    • It is unclear why the word "payer" appears in the above sentence as it should apply to all EHRs.
    • So while this particular implementation guide may be targeted to payers, this review addresses the broader problem of all EHR.
    • The operating assumption is that HIPAA protected health information also in present in payer information.
  • Educational materials are required for patients. This review considers that targeted material needs to be present at the pont where the patient makes a choice.


  • The guides is for a "voluntary attestation framework act is aligned to the CARIN Code of Conduct."
  • The guide focuses on registration for Developers and their Applications.
  • CARIN makes thee assumption that most applicants will be approved.
  • As is make clear in the Patient Choice wiki, most health apps today do not protect the data in the patients domain.
  • From that we can conclude that the CARIN guide is directed towards the profitability of the various organizations involved and not on patient empowerment.


  • The guide was written as though the NCCOE (NIST SP 1800 series) publications for the zero trust criteria of the EO on Cybersecurity were ever written.