Documentation

Go Live

Suggest Edits

Thank you for considering OneRecord API for your healthcare interoperability needs. In order to ensure the security and privacy of patient data, there are several prerequisites that must be met before a solution can go live and begin fetching PHI data through OneRecord API.

Please note that OneRecord takes patient data privacy and security very seriously, and OneRecord has strict policies and procedures in place to ensure that customers are responsible and compliant when accessing patient data through OneRecord API. As such, all customers are required to complete the necessary steps outlined on this page before gaining access to the production environment and being able to fetch real PHI data. Your understanding of and commitment to responsible interoperability is appreciated.

Request Production Access

Before you can access production data through OneRecord API, you must first request production access from the OneRecord support team. It is recommended you use your sandbox API Access Token(s) to develop and test your solution in the Stage environment before requesting production access. This will allow you to create a fully functional, demo-able solution before accessing live patient data. Once you have thoroughly tested your solution in Stage, please contact the OneRecord support team to request production access. This will initiate the process of converting your account to a production account, which includes completing the following prerequisites.

OneRecord Certification

OneRecord certification is a critical step in the process of getting access to real patient health data through OneRecord API. Once you have requested production access, a OneRecord team member will reach out to you to set up a meeting. During this meeting, all remaining necessary legal agreements will be signed, and a review your desired account structure and network paths take place to ensure that your production account is to be configured properly.

This is an opportunity to demo your solution to OneRecord to ensure that it meets appropriate standards for privacy and security, and that all necessary configuration steps are prepared to be completed in the live environment. This review process is necessary to ensure that your solution is ready to access real patient data, and to maintain the highest level of trust with OneRecord healthcare partners.

Once your solution has been approved, you will be asked to supply security certificates to be used when encrypting your communications between OneRecord and its partner networks.

TLS Certificates

After approval from OneRecord's Certification, you will receive one live API Access Token for each device that has been configured in your account. As the developer of your solution, you will need to provide OneRecord with a mutual TLS certificate. This certificate will be used to verify that the Device JWT matches the certificate. It is important to note that self-signed certificates are not acceptable for production usage. The certificate must be issued by a valid Certificate Authority (CA) to eliminate the need to manage additional public keys.

There are two options to obtain a valid TLS certificate:

  1. Provide OneRecord with the public key of a certificate that has been purchased through one of the approved certificate authorities.
  2. (Not recommended) OneRecord can request a certificate on your behalf, which will result in OneRecord delivering your private key to you.

Certificate Authorities

Below is a list of approved Certificate Authorities that OneRecord currently supports:

  • VeriSign
  • DigiCert
  • GeoTrust
  • GlobalSign
  • Comodo
  • GoDaddy
  • Symantec

If your Certificate Authority is not listed above, please contact OneRecord support to inquire about adding it to the approved list.

Updated about 2 months ago