Identity and Access Management

The Founda Health Platform makes sure that highly sensitive patient information is protected at all times. Access is restricted to authorized systems, software and/or individuals only. Founda's Identity and Access Management (IAM) Service allows providers to manage and control secure access to their data and it allows for quick and accurate verification of all involved parties. This also ensures that the necessary permissions for using the requested data are in position during every access attempt. The IAM service fully complies with the OAuth2.0 standard.

Founda Health's Identity and Access Management (IAM) service ensures that every connected application and provider organization is precisely identified and authorized.

When an Application Provider creates a "client profile" for their application via the Founda Health platform console, an OAuth2.0 client representing this application is created. This client receives a unique "Client ID" and a confidential "Client Secret." Responsibility for securely storing these identifiers falls on the Application Provider, as they will be used in all future transactions, playing a crucial role in authenticating the client application.

Upon creating a client profile, the Application Provider defines the specific "authorization scopes" that the application requires to operate effectively. These selected "authorization scopes" are securely stored within Founda Health's Identity and Access Management service. Importantly, any authorization request made by an Application Provider must be approved by the respective Provider Organization. This two-step authentication process ensures that only the right applications gain access to the appropriate data, safeguarding patient privacy.

Using the Client Credentials (Client ID and Client Secret), an application can request an access and refresh token. The access token is a vital component, as it must be included in every request made to the HealthAPI service. It's important to note that access tokens have a time limit and expire after 60 minutes. Refresh tokens are used to request new tokens. Both tokens can be generated using the following URL, depending on the region your organization is hosted in: https://identity-oauth.<region>.founda.com/oauth2/token.

For a comprehensive, step-by-step guide on how to authenticate and authorize using OAuth2.0, please refer to our detailed Authentication with OAuth2 tutorial, providing you with the knowledge and tools needed to navigate the identity and access management service.