Yes. All HIPAA-covered entities and their agents, including health plans are required to support both authentication and authorization rule requirements for REST exchanges. The CAQH CORE Connectivity Rule vC4.0.0 REST requirements specify that entities must support X.509 Digital Certificates for authentication and OAuth 2.0 for authorization.
Frequently Asked Questions - CAQH CORE Connectivity Rule vC4.0.0 -- REST Requirements
- The CAQH CORE Connectivity Rule vC4.0.0 REST Requirements specify both authentication and authorization, does my organization have to implement both methods?
- Do the CAQH CORE Connectivity Rule vC4.0.0 REST requirements for API Endpoints pertain to internal or external API to API exchanges?
- How and when will the next CAQH CORE Connectivity Rule version and REST API version be determined?
- Why don’t Request and Response transactions have unique individual endpoints?
- What endpoint(s) should be used when exchanging a non-X12 payload, such as a HL7 C-CDA over REST?
- Why is JSON the standard included in this rule to exchange data using REST?
- Why doesn’t the CAQH CORE Connectivity Rule vC4.0.0 include all possible HTTP Status and Error codes in the REST requirements?
- Why is there not Tracking of Date and Time and Payload that allows unique identifiers to be used and exchanged in addition to timestamps within the CAQH CORE Connectivity Rule vC4.0.0 REST Requirements?
- When implementing the CAQH CORE Connectivity Rule REST Requirements, which HTTP Methods is my organization required to support?
- The CAQH CORE Connectivity Rule vC4.0.0 REST Requirements define specific metadata that should be included as part of a RESTful exchange. My organization currently supports additional metadata not addressed by the rule, such as Levels and Destination
The CAQH CORE Connectivity Rule vC4.0.0 REST requirements pertaining to API endpoints refer to external API endpoints only. They do not apply to internal API to API exchanges.
CAQH CORE Connectivity Rule versions are updated when revisions are made to the rule. These updates follow the official CAQH CORE Change and Maintenance Process which specifies that when updates are applied, CAQH CORE will notify the industry. REST API versions are determined by the server; usually, new versions are assigned with updates to Endpoint Paths or requirements.
Figure #4.3.1: Informative Example for REST API URI Path Versioning
A REST API is a single conversational thread and uses the same endpoint for the data transactions.
The CAQH CORE Connectivity Rule vC4.0.0, including the REST requirements, is payload agnostic and as such, it supports non-normative endpoint(s) for non X12 payloads (e.g., HL7_CDA_R2, HL7_C-CDA, .pdf, .txt, .jpeg, etc.). This enables the rule to support a variety of data types and allows capability with existing and emerging standards. As the industry continues to evolve, this rule may be updated to include normative non-X12 Payloads.
JSON is commonly identified as the industry standard for REST. The CAQH CORE Connectivity Rule vC4.0.0 REST requirements do not preclude entities from supporting other formats, such as the XML format for REST implementations; however, they would not be conformant to these rule requirements.
The list of HTTP Status and Error Codes is a normative reference tool, not a comprehensive list. The CAQH CORE Connectivity Rule vC4.0.0 REST requirements do not intend to specify the codes required; it only provides examples of codes that could be used. Organizations should be prepared to accept the error codes included in the rule and Status Codes for errors that are defined and maintained by the standards organizations (e.g., Internet Assigned Numbers Authority). Information to determine who to contact for a resolution and guides providing clear descriptions of the codes is out the scope for this rule.
Similar to prior versions of CAQH CORE Connectivity Rules, the requirements in the CAQH CORE Connectivity Rule vC4.0.0 REST Requirements represent a floor and not a ceiling in terms of what organizations can implement. As such, entities may choose to collect additional metadata for tracking and auditing purposes such as identifiers for tracking of date and time and payload.
At a minimum, the CAQH CORE Connectivity Rule vC4.0.0 REST Requirements specify that entities must support the use of HTTP Methods GET and POST but allows entities to use additional HTTP Methods (e.g., PUT, PATCH, DELETE, etc.).
Yes. The CAQH CORE Connectivity Rule vC4.0.0 REST Requirements minimally specify metadata elements to establish a foundation for the industry. Entities may go above and beyond to implement or require support for additional metadata elements to support specific business needs as agreed upon by trading partners.