Existing Wording: 1-1-1-2 OAuth2 Authorized Exchange:

After authenticating the Member SHALL be presented with an Authorization screen that enables them to approve the sharing of information with the Third Party, or new Health Plan, Application that has client application credentials registered with the Health Plan.

Proposed Wording: After authenticating the Member SHALL be presented with an Authorization screen that enables them to approve with a signature the sharing of information with the Third Party, or new Health Plan, Application that has client application credentials registered with the Health Plan.

Comment:

Individual's Right to Direct the PHI to Another Person https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html

An individual also has a right to direct the covered entity to transmit the PHI about the individual directly to another person or entity designated by the individual. The individual's request to direct the PHI to another person must be in writing, signed by the individual, and clearly identify the designated person and where to send the PHI. A covered entity may accept an electronic copy of a signed request (e.g., PDF), as well as an electronically executed request (e.g., via a secure web portal) that includes an electronic signature. The same requirements for providing the PHI to the individual, such as the fee limitations and requirements for providing the PHI in the form and format and manner requested by the individual, apply when an individual directs that the PHI be sent to another person. See 45 CFR 164.524(c)(3).

Summary:

According to OCR, the Authorization screen must provide the capability for Member to sign when directing that the payer share information with a Third Party, new Health Plan, or an Application….