Every Application Provider that is looking to interact with (clinical) systems in the Provider Organization's infrastructure is represented by a Client on the Founda Platform. Think of this Client as your application's "client profile", defining exactly what data access you need. Before any application can access any data, these Clients have to be authorized by the healthcare provider the application is looking to interact with.
A Client on the Founda Health Platform has:
- A name and description describing the application The Provider Organizations will see this when you are requesting authorization so they know who is the requesting party.
- A set of OAuth2.0 Client credentials
- Client ID: unique identifier for the Client
- Client Secret: secret only known to the Application Provider owning this Client.
- A set of Action Scopes The Action Scopes define which (FHIR) data resources and interactions this Client requires in order to deliver its value.
Imagine that your company is offering a patient portal platform with an application for appointment scheduling. You would be represented on the Founda Platform as an Application Provider. Your application for appointment scheduling needs access to Patient data, Practitioner data, and Schedule and Appointment data to synchronize the doctor's scheduling between an EHR and your application. On the Founda Platform you create a dedicated Client. The beauty of this Client is that you can reuse it for all healthcare providers that you would like to integrate your appointment scheduling application with.
Now, let's say your company is expanding the patient portal platform's services to include remote monitoring. To keep data access well-organized and secure, you can create an additional Client specifically for this new functionality.
Creating distinct Clients for different functionalities offers a clear advantage. It ensures a separation of data access requirements, which is especially handy when different functionalities are offered to different healthcare providers. Each Client profile is independently authorized, guaranteeing that only the necessary data is exchanged with healthcare organizations. This approach not only enhances data security but also minimizes unnecessary data transfer.
Summarized: A Client may link 1-to-1 to an Application Provider's application, as shown in the above diagram for Application 1 - represented by Client 1. However, a Founda Health Platform Client may also be used to represent a group of applications from the same Application Provider - see Client 2 in the above diagram. How a Client represents an Application Provider's application(s) is up to the Application Provider to decide.
A Client can be either of type "test" or of type "production".
When a Test Client is created, a sandbox Provider Organization will automatically be created with scopes permitting all operations upon all FHIR R4 resources. This requires no further approval from a Provider Organization.
When a Production Client is created, the request for this Client defines the (FHIR) scopes that the Application Provider requires. A Production Client must always be authorized by a Provider Organization, accepting the requested (FHIR) scopes, before the application is allowed to interact with that healthcare provider.
Before any Application Provider's Client can access any data at the healthcare provider, the Client has to be authorized. Only after a Provider Organization has explicitly approved an authorization request the Client can access the requested data objects and use the action scopes it defined.
After the Client is authorized by the Provider Organization, the application can interact with Founda's HealthAPI. In order to interact with the HealthAPI, the authorized Client has to receive an access token from the Identity and Access Management service.
How to receive an access token? Check out the OAuth2.0 tutorial!