> ## Documentation Index > Fetch the complete documentation index at: https://docs.encoreos.io/llms.txt > Use this file to discover all available pages before exploring further. # External Integrations Catalog > Version: 1.0 Last Updated: 2026-02-16 Source: EHR_PM_PLANNING_BUNDLE.md **Version:** 1.0\ **Last Updated:** 2026-02-16\ **Source:** [EHR\_PM\_PLANNING\_BUNDLE.md](../../../specs/cl/planning/EHR_PM_PLANNING_BUNDLE.md) This document catalogs **external** (out-of-platform) integrations for EHR and Practice Management: clearinghouses, payer APIs, PDMP, HIE, e-prescribing, and lab. Entries may be **Implemented** (operational), **Blocked** (requires external verification or blocked by external requirements), or **Planned** (specified but not yet implemented). *** ## Quick Reference | Integration Type | Status | Key Standards | Spec | | -------------------- | ---------- | --------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ | | Clearinghouse (EDI) | πŸ“ Planned | X12 837P/I, 835, 270/271, 276/277 | [PM-15](../../../specs/pm/specs/PM-15-clearinghouse-integration.md) | | Payer ePA | πŸ“ Planned | Da Vinci CRD, DTR, PAS | [PM-10](../../../specs/pm/specs/PM-10-prior-authorization-management.md) | | Arizona CSPMP (PDMP) | πŸ“ Planned | State API / PMP Gateway | [CL-17](../../../specs/cl/specs/CL-17-arizona-cspmp-pdmp-integration.md) | | HIE (Contexture) | πŸ“ Planned | C-CDA 2.1, XDS/XCA, ADT | [CL-12](../../../specs/cl/specs/CL-12-care-coordination-transitions.md), [CL-16](../../../specs/cl/specs/CL-16-fhir-interoperability-data-exchange.md) | | EPCS | πŸ“ Planned | NCPDP SCRIPT 2023011 | [CL-06](../../../specs/cl/specs/CL-06-e-prescribing-epcs.md) | | Lab / LIS | πŸ“ Planned | HL7v2, FHIR DiagnosticReport | [CL-09](../../../specs/cl/specs/CL-09-lab-diagnostic-orders-results.md) | *** ## Status Legend * βœ… **Implemented** - Integrated and operational * 🟑 **In Progress** - Implementation underway * ⚠️ **Blocked** - Requires external verification or is blocked by external requirements (e.g., OAuth app verification, vendor approval) * πŸ“ **Planned** - Specified; not yet implemented *** ## Catalog | Name | Type | Standard / API | Status | Spec Reference | Notes | | ----------------------------------------- | -------------------------- | ---------------------------------------------- | ------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Clearinghouse (generic) | Clearinghouse / EDI | ANSI X12 837P, 837I, 835, 270, 271, 276, 277 | πŸ“ Planned | [PM-15](../../../specs/pm/specs/PM-15-clearinghouse-integration.md) | Claims submission, remittance, eligibility, claim status | | Payer FHIR ePA | Payer API | HL7 Da Vinci CRD, DTR, PAS | πŸ“ Planned | [PM-10](../../../specs/pm/specs/PM-10-prior-authorization-management.md) | CMS-0057-F; payer API requirements Jan 1, 2027 | | Arizona CSPMP (PDMP) | PDMP | PMP Gateway / HIE / third-party; state API | πŸ“ Planned | [CL-17](../../../specs/cl/specs/CL-17-arizona-cspmp-pdmp-integration.md) | EMR vendor integration deadline Dec 31, 2026; A.R.S. Β§ 36-2606 | | Contexture (AZ HIE) | HIE | DirectTrust, C-CDA 2.1, XDS/XCA, ADT | πŸ“ Planned | [CL-12](../../../specs/cl/specs/CL-12-care-coordination-transitions.md), [CL-16](../../../specs/cl/specs/CL-16-fhir-interoperability-data-exchange.md) | Care coordination, document exchange | | Waystar Coverage Detection | Coverage Discovery | REST/JSON; Waystar Coverage API | πŸ“ Planned | [PM-60](../../../specs/pm/specs/PM-60-realtime-insurance-discovery-coverage-autoadd.md) | BAA: required (existing Waystar BAA may amend); data classes: PHI (name, DOB, SSN); transport: REST over TLS 1.2+; Phase 1 candidate vendor for self-pay coverage discovery | | pVerify Coverage Discovery | Coverage Discovery | REST/JSON; pVerify API | πŸ“ Planned | [PM-60](../../../specs/pm/specs/PM-60-realtime-insurance-discovery-coverage-autoadd.md) | BAA: required (new); data classes: PHI; transport: REST; alternative vendor for adapter pattern | | Inovalon Coverage Discovery | Coverage Discovery | SOAP/REST hybrid | πŸ“ Planned | [PM-60](../../../specs/pm/specs/PM-60-realtime-insurance-discovery-coverage-autoadd.md) | BAA: required; strong retroactive Medicaid panel; alternative vendor | | Apple Push Notification Service (APNs) | Push Notifications | HTTP/2 binary protocol | πŸ“ Planned | [PM-59](../../../specs/pm/specs/PM-59-patient-mobile-app-pwa-companion.md) | BAA: not applicable (Apple does not store payload β€” generic, no-PHI titles only); transport: TLS 1.2+; per HHS HIPAA mobile guidance | | Google Firebase Cloud Messaging (FCM) | Push Notifications | HTTP/REST | πŸ“ Planned | [PM-59](../../../specs/pm/specs/PM-59-patient-mobile-app-pwa-companion.md) | BAA: required (Google Cloud BAA); transport: TLS 1.2+; no-PHI payloads only | | Stripe (Apple Pay / Google Pay) | Payments / Wallets | PaymentRequest API + Stripe REST | πŸ“ Planned | [PM-59](../../../specs/pm/specs/PM-59-patient-mobile-app-pwa-companion.md), [PM-45](../../../specs/pm/specs/PM-45-patient-payment-plans-collections.md) | Existing Stripe BAA; PCI SAQ-A scope (tokenized; no PAN handling) | | Medplum FHIR Server (or alternative) | FHIR R4 / SMART App Launch | FHIR R4, SMART App Launch v2.0.0, US Core 7.0 | πŸ“ Planned | [PM-55](../../../specs/pm/specs/PM-55-onc-hti1-uscdi-v3-patient-access-api.md) | Vendor selection pending (Medplum / Aidbox / build-in-house); BAA required for hosted; required for ONC HTI-1 (g)(10) certification | | Authentik (or alternative OAuth2 server) | OAuth2 / SMART | OAuth2 + Dynamic Client Registration | πŸ“ Planned | [PM-55](../../../specs/pm/specs/PM-55-onc-hti1-uscdi-v3-patient-access-api.md) | Vendor selection pending; required for SMART App Launch dynamic registration | | EPCS / Surescripts | e-Prescribing | Surescripts, NCPDP SCRIPT 2023011 | πŸ“ Planned | [CL-06](../../../specs/cl/specs/CL-06-e-prescribing-epcs.md) | HTI-4; SCRIPT transition by Dec 31, 2027 | | RTPB | e-Prescribing | NCPDP RTPB v13 | πŸ“ Planned | [CL-06](../../../specs/cl/specs/CL-06-e-prescribing-epcs.md) | Real-Time Prescription Benefit; Base EHR Jan 2028 | | Lab / LIS | Lab | HL7v2, FHIR DiagnosticReport | πŸ“ Planned | [CL-09](../../../specs/cl/specs/CL-09-lab-diagnostic-orders-results.md) | Orders and results | | Ramp (Spend Management / Corporate Cards) | External API | Ramp Developer API (OAuth, REST) | πŸ“ Planned | [FA-30](../../../specs/fa/specs/FA-30-ramp-corporate-cards-spend-integration.md) | Card transaction sync, ERP sync; optional virtual cards; sandbox via Ramp partnerships | | RingCentral (Telephony) | Telephony API | RingCentral REST API, Webhooks, Embeddable SDK | βœ… Implemented | [CE-03](../../../specs/ce/specs/CE-03-call-management-ringcentral.md), [CE-14](../../../specs/ce/specs/CE-14-ringcentral-embeddable.md) | Call tracking, recording, disposition, WebRTC embeddable widget | | Twilio (SMS) | SMS API | Twilio SMS REST API, Webhooks | βœ… Implemented | [CE-08](../../../specs/ce/specs/CE-08-sms-messaging-integration.md) | Two-way SMS messaging, TCPA compliance | | Gmail API | Email API | Gmail REST API (OAuth 2.0) | ⚠️ Blocked | [CE-07](../../../specs/ce/specs/CE-07-email-integration.md) | Email sync (blocked: requires Google app verification) | | Microsoft Graph (Outlook) | Email API | Microsoft Graph Mail API (OAuth 2.0) | βœ… Implemented | [CE-07](../../../specs/ce/specs/CE-07-email-integration.md) | Email sync for Outlook/Microsoft 365 | *** ## Integration Engine Strategy Per [ehr\_pm research](../../ehr_pm/research-20260216.md): avoid hard dependency on a single integration engine vendor (e.g. Mirth Connect 4.6+ licensing). Prefer: * **Abstraction layer** so EHR does not hard-depend on one engine * **Standards-first payloads** (FHIR, X12, NCPDP, C-CDA) with contract tests * **Interface catalog** (data contracts, endpoints, versioning, monitoring) as a first-class artifact *** ## Decision Tree(s) **Choosing an integration approach:** 1. Is the integration **external** (clearinghouse, payer, PDMP, HIE, eRx, lab)? β†’ Use this catalog and [API Contracts](./API_CONTRACTS.md) / [Event Contracts](./EVENT_CONTRACTS.md) for in-platform contracts that wrap external APIs. 2. Is the payload **standardized** (X12, FHIR, NCPDP)? β†’ Prefer standards-first contracts and abstraction; avoid vendor-specific formats in core. 3. Does the integration require **audit or consent** (e.g. PDMP, Part 2)? β†’ Document in spec (CL-17, CL-11) and use platform consent/layers. 4. Is it **real-time** (eligibility, claim status) vs **batch** (837 submission, 835 posting)? β†’ Define SLA, timeout, and retry in API contract. *** ## Pattern Library * **Abstraction layer:** All external calls go through an adapter or edge function; no direct vendor SDK in core. See [Integration Engine Strategy](#integration-engine-strategy). * **Standards-first contracts:** Define request/response shapes using FHIR, X12, or NCPDP types; validate with contract tests before going live. * **Interface catalog:** Each integration has a catalog entry (name, type, standard, status, spec), plus documented endpoints and payload samples (see code examples below). *** ## Common Mistakes | Mistake | Symptom | Fix | | ----------------------------------------- | -------------------------------- | --------------------------------------------------------------------------- | | Hard dependency on one integration engine | Vendor lock-in; costly migration | Use abstraction layer; keep engine behind adapter | | Non-standard or undocumented payloads | Broken pipelines; hard to debug | Define contracts (FHIR/X12/NCPDP); add examples to catalog | | Missing audit for PDMP or Part 2 | Compliance failure | Document audit requirements in CL-17/CL-11; log query/response IDs only | | No versioning or monitoring | Downtime or silent failures | Add version to contracts; health checks and alerting for external endpoints | *** ## Pre-Flight Checklist Before enabling or changing an external integration: * [ ] **Standards:** Payload and endpoint match the chosen standard (FHIR R4, X12, NCPDP) and version. * [ ] **Contracts:** Request/response schemas and error codes documented in [API Contracts](./API_CONTRACTS.md) or event payload in [Event Contracts](./EVENT_CONTRACTS.md). * [ ] **Monitoring:** Health check and latency/error metrics for the external endpoint; alerts on failure or SLA breach. * [ ] **Versioning:** Contract version and external API version documented; upgrade path for breaking changes. * [ ] **Consent/Audit:** If PDMP or Part 2–related, consent and audit requirements implemented per CL-17/CL-11. *** ## Data Flow, Authentication & Monitoring (Per Integration) Each external integration MUST document the following before go-live. Stubs below. ### Clearinghouse (PM-15) * **Data flow:** App β†’ Edge function or backend β†’ Clearinghouse (SFTP or API). Outbound: 837P/I, 270, 276, 278. Inbound: 835, 271, 277, 999. Batch and/or real-time per contract. * **Authentication:** TLS 1.2+; credentials (SFTP key or API key) in secrets; no credentials in code. * **Sandbox/testing:** Use clearinghouse test environment; separate config for prod vs test. * **Error handling:** Retry 5xx/network with backoff; rejections (999/277) logged and routed to correction workflow; DLQ for repeated failures. * **Monitoring:** Health check (connectivity + test transaction); latency p95; error rate; alert on SLA breach or connection failure. ### Payer ePA (PM-10) * **Data flow:** App β†’ FHIR Da Vinci CRD/DTR/PAS endpoint. Request/response per CMS-0057-F. * **Authentication:** OAuth2 or API key per payer; store in secrets. * **Sandbox:** Payer sandbox for development; document base URLs per environment. * **Error handling:** Retry 429/5xx; return structured error to user; log request\_id for support. * **Monitoring:** Latency; success vs denial rate; alert on payer endpoint down. ### Arizona CSPMP / PDMP (CL-17) * **Data flow:** App β†’ State PMP Gateway or HIE; query-in-workflow; response stored for audit only (no PII in logs). * **Authentication:** State-issued credentials; certificate or API key per state requirements. * **Sandbox:** State test environment if available. * **Error handling:** Fail closed (do not prescribe without PDMP when required); log query\_id only; audit per CL-17. * **Monitoring:** Query success rate; latency; alerts on gateway errors. ### Contexture (AZ HIE) (CL-12, CL-16) * **Data flow:** DirectTrust or XDS/XCA; ADT and C-CDA document exchange. Outbound: C-CDA 2.1; Inbound: documents and ADT. * **Authentication:** DirectTrust certificate; enrollment and onboarding per Contexture. * **Sandbox:** HIE test environment. * **Error handling:** Retry transient; log document\_id and outcome; no PHI in logs. * **Monitoring:** Submission success; document retrieval latency; certificate expiry alerts. ### EPCS / Surescripts (CL-06) * **Data flow:** NCPDP SCRIPT 2023011 to Surescripts; two-factor auth; prescription and status. * **Authentication:** EPCS credentials (hardware or software token); FIPS 140-2 where required. * **Sandbox:** Surescripts test environment. * **Error handling:** Prescription failure returned to user; no retry of invalid sig; audit all attempts. * **Monitoring:** Send success rate; response latency; token/credential expiry. ### Lab / LIS (CL-09) * **Data flow:** HL7v2 or FHIR DiagnosticReport; order outbound; results inbound. * **Authentication:** Lab-specific (often VPN or HL7 MLLP with mutual TLS). * **Sandbox:** Lab test environment or mock. * **Error handling:** Retry HL7 NAK; map errors to user message; log order\_id only. * **Monitoring:** Order and result throughput; error rate; interface uptime. *** ## Integration Adapter Pattern All external calls MUST go through an adapter (edge function or server-side module). No direct vendor SDK in core CL/PM UI. Adapter responsibilities: * Map internal IDs to external identifiers. * Transform request/response to/from standard shapes (FHIR, X12, NCPDP). * Apply authentication and retry. * Log metrics and errors (no PII/PHI). * Support feature-flag or config to switch environments (sandbox vs prod). *** ## Code Examples (Contract / Endpoint / Payload) **Example: FHIR R4 request (EHI export scope).**\ *Label: FHIR patient read – used by CL-16 / PM-12.* ```json theme={null} GET /fhir/r4/Patient/{id} Accept: application/fhir+json ``` **Example: X12 270 eligibility request (simplified).**\ *Label: X12 270 – eligibility request; see PM-02, PM-15.* ``` ISA*00* *00* *ZZ*SENDER *ZZ*RECEIVER *260216*1200*^*00501*000000001*0*P*> GS*HS*SENDER*RECEIVER*20260216*1200*1*X*005010X279A1 ST*270*0001*005010X279A1 BHT*0022*11*REF123*20260216*1200*CH HL*1*0*20*1 NM1*1P*2*ORG*****PI*12345 ... SE*... GE*1*1 IEA*1*000000001 ``` **Example: NCPDP SCRIPT segment (eRx).**\ *Label: NCPDP SCRIPT – e-prescribing; see CL-06.* ``` Segment: Prescription (simplified) - Patient ID, Drug, Sig, Quantity, Refills per NCPDP SCRIPT 2023011 ``` *** ## Microsoft 365 Deep Integrations (PF-63) **Status:** βœ… Implemented\ **Spec:** [PF-63](../../../specs/pf/specs/PF-63-entra-id-integration.md)\ **Catalog:** Entra ID (Azure AD) app-only; Graph API for presence, Teams, SharePoint, activity feed.\ **Last Verified:** 2026-02-21 | Integration | API | Edge Function | Status | | ----------------------- | -------------------------------------------------------------------------- | ---------------------------- | ------ | | Teams Presence | Graph Presence API (`/users/{id}/presence`) | `entra-employee-presence` | βœ… | | Teams Channel Messaging | Graph Teams API (`/teams/{id}/channels/{id}/messages`) | `entra-teams-notify` | βœ… | | SharePoint Files | Graph Drive API (`/sites/{id}/drive/items`) | `entra-sharepoint-documents` | βœ… | | Teams Activity Feed | Graph Teams Activity API (`/users/{id}/teamwork/sendActivityNotification`) | `entra-teams-activity` | βœ… | **Authentication:** Client Credentials flow (app-only) via Entra ID App Registration.\ **Tenant Isolation:** All edge functions enforce `verifyOrgAccess()` + org-scoped credential lookup.\ **PHI Controls:** OOO message content redacted; no PHI in logs. *** ## Related Documentation * [Event Contracts](./EVENT_CONTRACTS.md) - CL/PM planned events * [API Contracts](./API_CONTRACTS.md) - CL/PM planned APIs * [Platform Integration Layers](./PLATFORM_INTEGRATION_LAYERS.md) - CL/PM planned platform layers * [CROSS\_CORE\_INTEGRATIONS](./CROSS_CORE_INTEGRATIONS.md) - Cross-core matrix * [EHR\_PM\_PLANNING\_BUNDLE](../../../specs/cl/planning/EHR_PM_PLANNING_BUNDLE.md) - Planning source *** **Next Review:** When CL/PM implementation starts or external contracts are signed.