Wait for it...


Documentation, Tools, Sample Code, etc.


If you're developing a client application that will query HL7 FHIR® data sources enabled by EMR Direct Interoperability Engine, please refer to the following resources:

FHIR STU3 API Documentation

FHIR R4 API Documentation

API Terms of Use

FHIR R4 Endpoints

API Management Platform for Direct Messaging & FHIR

Data holders, register for a complimentary Developer account to view documentation & sample code you can use to easily enable Direct Messaging or HL7 FHIR services in your Health IT application. Includes a test Direct address & FHIR endpoint, email-based support, ETT and Inferno testing guides--everything that's needed for successful certification testing with EMR Direct services.

Interoperability Engine

Drummond Certification Logo

App Registration

Patient-Directed Exchange (includes Individual Access)

Applications that will rely on a patient's credentials assigned by the health system where data access is requested (for example, patient portal credentials used by patients for access to health data one patient at a time) can register here or via Dynamic Client Registration to obtain a client ID and secret and become listed in this App Gallery. In this case, let us know you require a "Client ID and Secret for Patient Access" when registering your app to use it with authorization code flow according to the SMART App Launch framework and in optional UDAP Tiered OAuth workflows. The resulting client ID can then be used at any EMR Direct-supported FHIR endpoint.

Client Credentials/B2B (Bulk Data or one patient at a time)

Apps that will access data for professional purposes will also be listed on the App Studio site, but will want to instead let us know you require a "Digital certificate for a UDAP FHIR client workflow" when registering on the EMR Direct website; the UDAP certificate can then be used in UDAP JWT-Based Client Authentication at any EMR Direct-supported FHIR R4 endpoint or a FHIR STU3 endpoint that has elected to enable client credentials grant. If the data holder approves it, access via client secret is an alternative option. Apps intending to make Bulk Data requests or use other privileged app workflows can register your app by reaching out directly to the Cures Update-capable data holder. In either case, the data holder must also authorize the app’s access to health data.

Servers and Identity Providers

Servers or Identity Providers can request a "Digital certificate for a UDAP FHIR server workflow" when registering on the EMR Direct website; the UDAP certificate can then be used in UDAP Server Metadata or with any compliant UDAP Tiered OAuth client or server.


A knowledge base for Health IT Developers


Test Your FHIR or Direct Messaging App

HealthToGo Sandbox

The HealthToGo Sandbox client application is available to registered Developers who are testing their own implementation of Interop Engine phiQuery (EMR Direct's software for enabling HL7 FHIR services) or who are evaluating UDAP FHIR ecosystem server certificates issued by EMR Direct.

phiQuery integrators use the HealthToGo Sandbox along with Inferno as their test harness to demonstrate to the testing labs how their software uses Interop Engine to meet the ONC 2015 Edition Cures Update certification criteria g.7, g.9, and g.10. HealthToGo Sandbox can also be used to independently test Interop Engine 2021 FHIR services, however proctored Cures Update certification testing uses the Inferno test tool.

Interoperability Engine

Register for an EMR Direct Developer account to enable Direct or HL7 FHIR services you can test with the sandboxes listed here, the Edge Test Tool (ETT) or Inferno and your own no-PHI test data.

We also currently support several pilot programs evaluating advanced use cases like the FAST Security model leveraging UDAP and digital certificates to enable a trusted FHIR ecosystem, using Direct for records requests from the Social Security Administration and others, using the HEART profiles for UMA, OAuth, and OpenID to facilitate grant management, and other use cases for improving workflows through Context-enabled Direct Messaging, for example Patient Event Notifications via Direct.

phiMail Web

For testing Direct Messaging applications built with phiMail, a sandbox version of our web-based Direct Messaging service is also available:

phiMail Web Sandbox

If you're preparing to certify your health IT through a test lab using phiMail, be sure to request a current version of our documentation for use with the testing tools.

Featured Apps

Listing does not imply endorsement


Best practices & other noteworthy topics
Tiered OAuth

If OAuth Servers Could Talk...

The Open API economy is enjoying a great deal of success in health data democratization. The government declared that we should enable Open APIs, so we built them. Then, lo and behold, several developers (most noteworthy Apple) built client applications and...

Transactional Authorization for FHIR

Transactional Authorization for FHIR

In some workflows, it may be necessary to have the user specifically authorize a FHIR transaction or even re-authenticate to complete the transaction. We have worked out a workflow that we call “transactional authorization” to address this that leverages the concept of scopes...

Disrupting Health IT Tweet

Where Were You When Health IT Was Being Disrupted?

For those who haven't been in a mountaintop dojo reading Health IT regulations the last few years (see tweet above or here), I'm happy to share that patient health data is now available to authorized parties about as conveniently as...

Using Digital Certificates with FHIR

Using Digital Certificates with FHIR

There has been substantial effort over the last few years to deploy digital tools to the healthcare setting, so that medical records are more computable both in-place and when shared (think decision support for now, evolving to advanced data processing tools, enabled with artificial intelligence)...

Trusted Exchange Framework

What's a Trusted Exchange Framework and why do we need one?

Somewhere at the crossroads of actual information blocking (or, more likely, accidental information throttling) and use of entirely-appropriate, high security constraints, usability and data access have suffered and medical tests are being duplicated...