Existing Wording: When a Card is returned from the CDS Hooks appointment-book service by a Health Plan it will provide the following elements:

• An Access Token for secure access to the Health Plan's FHIR API

Comment:

It is not clear who issues this Access Token and who it is issued to. If this is an OAuth access token, the flow for issuing it and identifying the client to the OAuth server must be clarified. It is also a major flaw from the OAuth perspective that the Access Token which must be known only to the specific client (in order to ensure accounntability) is shared with the CDS service. Generally access tokens should not be known to any party other than the Client and the OAuth Server.

Moreover, it must be clearly stated that this acess token must be restricted only to the Member in question and the recipient must not be able to recover any other members' information using this access token.

Summary:

It is not clear who issues this Access Token and who it is issued to