As part of my work as Entrepreneur-In-Residence at CMS, I am working on the next generation of BlueButton as a data API. Within CMS we refer to this as BluebuttonOnFHIR. As part of this work I have been thinking about how to establish trust for the third party applications that want to connect to the API.
In order to establish a solution for this baseline of trust I have put forward the idea of whitelist APIs. These could be hosted by current trust bundle administrators such as NATE and DirectTrust.
You can find out more about this whitelist API via a post I have published today on the HHS IDEALab Blog. Check it out here: http://www.hhs.gov/idealab/2015/11/19/trusting-health-apis/
The IDEA Lab Blog post points to a Google Doc for the Whitelist API Specification. If you have trouble reaching Google you can read the specification here: OAuth Trust Whitelist API