FAST Security Now Part of TEFCA and HTI-2 Requirements

If you can’t think of a reason to pay attention to FAST's work, we have a couple for you! Recent requirements related to TEFCA (Trusted Exchange Framework and Common Agreement) and the latest HTI-2 proposed rule have named the FAST Security Implementation Guide (IG). This recognition underscores the importance and foundational nature of FAST's contributions to healthcare interoperability. 

On July 1st, the Recognized Coordinating Entity (RCE) released the Facilitated FHIR Implementation Standard Operating Procedure (SOP), outlining the requirements for using FHIR within the TEFCA framework. Notably, these requirements include adopting the FAST HL7 UDAP Security for Scalable Registration, Authentication, and Authorization FHIR Implementation Guide (SSRAA) by January 1, 2026. This timeline allows organizations to implement FAST Security while still using SMART or other security options in the interim. 

Specifically, the SOP states: 

Prior to January 1, 2026: 

• All FHIR Adopters MAY follow the requirements of HL7 SSRAA FHIR IG 1.0.0 STU 1 US Section 3 Registration. 

• Manual registration requests for client_id MUST be resolved within 5 business days where sufficient information has been provided. Information requirements MUST NOT exceed those in Section 3 of HL7 SSRAA FHIR IG and this SOP. 

• All FHIR adopters MUST use one of the following: 
  • HL7 SSRAA FHIR IG 1.0.0 – STU 1 US Sections 4 and 5; 
  • SMART Release 1.0.0; or 
  • Another authentication and authorization framework that adheres to the QTF requirements is based on out-of-band agreements between exchange partners. 

• All FHIR Adopters MUST follow the requirements in HL7 SSRAA FHIR IG 1.0.0 – STU 1 US Sections 2, 3, 4, and 5. 

This marks a significant advancement for the adoption of the IG and is the result of extensive efforts by the FAST Security team, including co-leads Luis Maas and Brett Stringham, and everyone involved in the IG development. 

But that's not all! The proposed Health IT Interoperability (HTI-2) rule is out, and it also recommends the adoption of FAST Security for Certified Electronic Health Record Technology (CEHRT). 

HTI-2 reads: 

• Requirements in the Program to support dynamic client registration and subsequent authentication and authorization for dynamically registered apps for patient-facing, user-facing, and system confidential applications. 

• New criteria added to various sections, including:
  •  § 170.315(g)(10) 
  • § 170.315(g)(20), (30), and (32) – (35) 
  • § 170.315(j)(2), (5), (8), and (11) 
  • API Conditions and Maintenance of Certification requirements in § 170.404 

The proposal aims to adopt the HL7® Unified Data Access Profiles (UDAP™) Security for Scalable Registration, Authentication, and Authorization Implementation Guide Release 1.0.0 (UDAP Security IG v1) and require several specific sections to support the Program criteria. This would facilitate more timely patient, provider, and system access to health information using applications by providing a more uniform, standardized, and automated application registration pathway. 

So, FAST Security has arrived! By 2028, Registration, Authentication, and Authorization will be ready at scale for all certified HIT and TEFCA members. 

Don’t miss out! The FAST community offers implementation support and other ways to get involved in the FAST Security work and other critical projects. Join us at these upcoming events: 

• Implementer Office Hours 

• September HL7 FHIR Connectathon  

• Public FAST Security Community Calls 

• HL7 FHIR Security Education Event 

• Next FAST Focus Webinar: Interoperable Digital Identity & Patient Matching 

You can also access the recording and slides from our last FAST Focus Webinar featuring the FAST Security team. 

Reach out to FAST at fast@hl7.org if you’d like to learn more about our work or becoming a member.