Inferensys

Glossary

Unified Data Access Profiles (UDAP)

A set of security protocols for dynamic, scalable trust in healthcare ecosystems, using PKI and OAuth 2.0 to enable automated, cross-organizational authentication and authorization for FHIR APIs.
Data scientist building training data pipeline on laptop, data preprocessing visible, technical workspace.
TRUST FRAMEWORK

What is Unified Data Access Profiles (UDAP)?

A set of security protocols for dynamic, scalable trust in healthcare ecosystems, using PKI and OAuth 2.0 to enable automated, cross-organizational authentication and authorization for FHIR APIs.

Unified Data Access Profiles (UDAP) is a technical trust framework that leverages Public Key Infrastructure (PKI) and OAuth 2.0 to automate the secure, cross-organizational exchange of health information via FHIR APIs. It defines a workflow for dynamic client registration and identity proofing, allowing a healthcare organization to cryptographically verify the identity of an external application and grant authorized access to patient data without pre-existing bilateral legal agreements or manual credential provisioning.

The UDAP workflow begins with a client presenting an X.509 digital certificate issued by a trusted Certificate Authority within the ecosystem. The server validates this certificate chain against a published trust community, then uses the authenticated identity to issue a signed JSON Web Token (JWT) for authorization. This scalable, zero-trust architecture eliminates the operational friction of manual federation, enabling compliant, real-time interoperability between providers, payers, and third-party applications under the TEFCA framework.

UNIFIED DATA ACCESS PROFILES

Core Characteristics of UDAP

The architectural pillars that enable dynamic, scalable, and automated trust between healthcare organizations, moving beyond static certificates to a living ecosystem of identity and authorization.

01

Dynamic Client Registration

Replaces manual, out-of-band registration with an automated, standards-based process. A client presents a software statement—a signed JSON Web Token (JWT) containing its metadata and public key—to a UDAP server endpoint. The server validates the signature against a trusted certificate chain and, upon success, issues a unique client_id instantly. This eliminates weeks of administrative overhead and human error, enabling scalable federation across thousands of endpoints.

< 1 sec
Registration Time
02

PKI-Based Trust Framework

UDAP leverages a hierarchical Public Key Infrastructure (PKI) rooted in mutually trusted Certificate Authorities (CAs). Unlike shared secrets or bearer tokens, trust is established through X.509 certificates issued to both clients and servers. This creates a cryptographically verifiable chain of trust that scales across organizational boundaries without pairwise credential management. The framework supports both chained trust (intermediate CAs) and direct trust models, allowing communities to define their own trust anchors.

X.509
Certificate Standard
04

Tiered OAuth for Patient and System Access

UDAP harmonizes two distinct authorization tiers within a single ecosystem:

  • Consumer-Facing (UDAP Tier 1): Extends SMART on FHIR for individual patient access, using user-facing OAuth flows where a patient authorizes an app to access their own data.
  • Business-to-Business (UDAP Tier 2): Enables organizational-level access for population queries, bulk data operations, and cross-institutional research without a human in the loop. This dual-tier architecture ensures a single FHIR server can securely serve both individual patients and large healthcare organizations.
05

Automated Trust Community Management

UDAP defines a Trust Community construct—a set of organizations that agree to common policies, certificate authorities, and operational rules. Membership is managed through resolvable endpoints that publish community metadata, including:

  • A list of trusted CAs and their certificates
  • Required software statement claims
  • Supported authentication and authorization protocols New entities can discover and join a community programmatically by fetching this metadata, enabling a truly self-service federation model without centralized gatekeepers.
06

FHIR-Centric Interoperability

UDAP is purpose-built for HL7 FHIR APIs, not as a generic security wrapper. It defines how FHIR-specific scopes, resource types, and operations map to OAuth 2.0 permissions. Key integrations include:

  • FHIR Bulk Data Access: Securing asynchronous export jobs for population-level analytics
  • SMART Backend Services: Providing the authentication layer for server-to-server FHIR transactions
  • Consent Resource Binding: Linking access tokens to patient-directed privacy policies This tight coupling ensures security controls are semantically aligned with clinical data operations.
UDAP EXPLAINED

Frequently Asked Questions

Clear, technical answers to the most common questions about Unified Data Access Profiles and their role in automating trust for healthcare interoperability.

Unified Data Access Profiles (UDAP) is a set of open, extensible security protocols designed to enable dynamic, scalable trust between healthcare organizations. It works by leveraging Public Key Infrastructure (PKI) and the OAuth 2.0 authorization framework to automate the previously manual process of cross-organizational authentication and authorization for FHIR APIs. In a UDAP workflow, an organization registers its digital certificate with a trusted community, and then uses that certificate to cryptographically prove its identity and request scoped access tokens to another organization's FHIR server without pre-existing bilateral agreements. This replaces static, pairwise credential management with a dynamic, certificate-based trust fabric, allowing a healthcare application to be securely discovered and authorized by any participating entity in the network automatically.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.