Implementing Patient Access SMART on FHIR Launch

The Imprivata Patient Access App is launched directly to the authorize endpoint outside of an EHR session and requests context from the EHR's authorization server.

The sections below provide instructions on what information is needed from both the customer and from Imprivata to enable the SMART on FHIR standalone launch.

User Security for the Patient Access App

Patient and provider-facing apps that use OAuth 2.0 authentication require certain security points on the users launching the app.

Ensure that users who will be accessing the app have the security points for the APIs used by this app and have access to launch the button for the app.

To determine which security points might be needed for an app install, review the list of APIs on the app and identify this app’s FHIR Resources in the FHIR Setup & Support Guide.

For more information, see the User & Security Setup for Apps topic.

To allow users to use OAuth 2.0 Authorization Code flow (e.g., standalone), ensure that the Allow OAuth2 authentication option is enabled in the Login security options settings for both Hyperspace Web and Hyperspace Web EpicCareLink servers within your HSWeb server deployment configuration.

For assistance, reach out to your Client Systems/Kuiper counterparts or open a Sherlock ticket with your Client Systems TS.

Interconnect Setup for the Patient Access App

If you need assistance enabling web services or determining the appropriate rewrite patterns for the Imprivata Patient Access App, contact your Epic Client Systems - Web and Service Servers TS, and reference SLG 7948970.

If you are currently using the Chronicles-Configured OAuth2 Instance and the OAuth2 ARR Use Case, you do not need to complete any additional OAuth2 Interconnect build for this application. For more information on these topics, see the Interconnect Setup Guide or reach out to your Epic Client Systems - Web and Service Servers TS.

Information to Send to the Customer

1. Client IDs - The customer will use either the Non-Production or Production client ID in their SMART on FHIR configuration, depending on the environment.

Only the client IDs for the Imprivata Patient Access app are required for the customer to configure in their SMART on FHIR launch configuration.

Application Name	Non-Production Client ID	Production Client ID
Imprivata Patient Access	303a4d28-aad2-48af-a40d-f3cc3c1c825f	233370ff-7785-4d83-8753-9477f5331dbf

Information to Obtain from the Customer

The customer coordinates with their Epic1 Epic is a registered trademark of Epic Systems Corporation. team to obtain the following information:

1. Technical Connection information - The Interconnect instance base URL for FHIR API traffic.

   Example: https://vendorservices.epic.com/interconnect-amcurprd-oauth

2. Data Mapping Requirements - The FHIR OID for patient medical record number (MRN),

   Example: urn:oid:1.2.840.114350.1.13.0.1.7.5.737384.14

Configure the FHIR Integration in Patient Access

With the information above, the Imprivata implementation engineer uses the customer’s Patient Access Admin Console to configure the FHIR integration.

1. In the Patient Access admin console, navigate to Integrations > FHIR.

2. In the Interconnect instance base URL box, type the address of the interconnect instance base URL. The value is the {InterconnectInstanceBaseURL}.

3. In the Client ID box, type the client identifier for the FHIR service. If this is a test tenant, this is the non-production ID for the Imprivata Patient Access app. If this is the production tenant, this is the production client ID.

4. In the FHIR OID box, type the FHIR OID for patient medical record number (MRN).

5. In System Type, select Epic, then click Save.