I learned today that there is special handling described in the RESTful Update when the update includes updates to meta. http://hl7.org/fhir/resource.html#tag-updates

I am especially concerned about the rule identified for Security tags.

I understand that this rule has been in the specification since before the security wg got engaged in the FHIR specification. I understand that it is in there to support use-cases where the patient has explicitly tagged a resource, so that the sensitivity tags that the patient may have chosen is not overwritten. I don't believe that this rule achieves this goal. More importantly this kind of a use-case is better handled today using a Consent with that resource identified in Consent.provision.data so that the source of the policy is more cleanly managed, and the rule around the meaning is more cleanly managed.

I recommend that the special handling of security tag be removed. That an update of the security tag should be handled just like profile tag is identified. That is to say that an update of the element is an update of the element. That security tag is not handed any differen than any other element.

Note this was uncovered when an implementer was frustrated that their appropriate update of the security tags were not being updated. It took many people to figure out where this special rule was written.