Offline_Access for Provider Applications

[Tony J]

Dear Cerner staff,

I understand that the "offline_access" scope is not available for Provider apps but is "currently under consideration" (see below).

Is there any chance that this feature is being actively developed? If so, is it possible to share any information regarding its timeline for rollout?

We are currently testing a FHIR application that requires this feature. The app has been successfully tested at institutions using other FHIR-enabled EMR systems.

As such, we are quite eager get on board, and would appreciate any information you can provide.

Many thanks,

Tony

From: http://fhir.cerner.com/authorization/#considerations-for-handling-offlineaccess

Is offline_access supported for healthcare providers?  

Cerner does not currently have support for offline_access for providers. It is currently under consideration.

[Jenni Syed (Cerner)]

Hi Tony,

We don't share timelines on this group. 

I can say that there is no active development on this functionality right now. I would be curious what your use case is for offline_access for provider workflows though. 

Thanks!

Jenni

[Tony J]

Hi Jenni,

Thank you for the prompt response. We are beta testing the FHIR interface of an electronic data capture application known as REDCap (projectredcap.org). It is primarily used to collect form-based data in clinical research projects and has a user base of over 600,000 across 2,700 institutions around the world.

This interface was developed to allow users to pull clinical data from their institutional EMR into REDCap, and has been tested at institutions using other EMR systems.

As such, many REDCap institutions using Cerner would be very interested in seeing this feature developed.

Attached are several documents describing this interface in greater detail, but to summarize, REDCap uses offline_access to periodically query the EMR for new patient data (using MRN as the lookup/foreign key) to be adjudicated and imported.

Hope this answers your question.

Best,

Tony

[Oleksiy Kononenko]

Hello Jenni,

We are also interested in offline_access support for provider apps. Our use case is that we are converting an existing provider facing iOS app (for our internal use at BaystateHealth) that has a fingerprint login functionality. So we need a way to authenticate against Ignite server by using refresh token that is stored in secure enclave on the device (this secure storage is designed to store highly sensitive information like credit card info etc). 

Currently we are able to achieve this by using refresh token for online_access which seems to expire around 24 hours. This way our users must login once in 24 hours, but our requirement is to allow users to login with their fingerprint until they logout explicitly.

What is the expires in value for online_access refresh token? And also how can we explicitly revoke refresh token (logout current user)?

Thanks for your help

Oleksiy

[Matt Randall (Cerner)]

Regarding logout with online access - unfortunately, there isn't a mechanism defined in SMART on FHIR for orchestrating a user log-out.  It's currently assumed that the user is "logged into the EHR"; thus, if the user then "logs out of the EHR" that their tokens would terminate.  If the user is coming in from a free-hanging app, that somewhat upends that assumption.

Regarding your offline access use case, is your intent that a user self-enrolls the app/device into the ecosystem for offline_access, or would that activity be proctored by an administrator to ensure only organizationally-approved devices are being used?  If it is proctored enrollment, would only the administrator have to authenticate, or both users during the enrollment process?

From a security perspective, is the intent of offline_access in your use case to enable the application to retrieve data automatically when the user is not active?  Or, alternatively, is this purely intended to create single sign-on that enforces the use of biometric enrollment on the device?

Thank you for any input you can provide on your use case.