General Best Practices
Core principles and practices that apply to all EHR vendors, regardless of specific implementation details.
Provide comprehensive API documentation
Documentation should be publicly available, comprehensive, and include examples for all API endpoints.
Maintain up-to-date release notes
Provide detailed release notes for all API changes, including deprecations and new features.
Document authentication and authorization processes
Clearly explain how to authenticate and authorize API requests, including all required parameters.
Document app activation process
Provide clear documentation on how healthcare providers can activate and configure third-party applications within the EHR. Include step-by-step instructions with screenshots, required administrator permissions, and any system prerequisites.
Implement OAuth 2.0 for authentication
Use industry-standard OAuth 2.0 flows for secure authentication and authorization.
Use HTTPS for all API endpoints
Ensure all API endpoints are served over HTTPS to protect data in transit.
Implement proper rate limiting
Protect your API from abuse by implementing rate limiting with clear documentation on limits.