Note to future self:  the idea is that we'd draft this content in PA, then send it back to Security to review.  Get agreement, and resolve the ticket once we've settled everything.   Summary of our recommendations: DO NOT use .telecom properties to represent user identities. Systems MAY use .identifier on the relevant resources for user identities. Person MAY be used to associate resources associated with one user identity.  But user identity MAY be duplicated on the other relevant resources (e.g., Practitioner) User identities MAY be handled completely outside of the FHIR and not represented on FHIR resources at all.   TODO: discuss the SMARTv2 use of Person as fhirUser?   b) should a user-identifier be recorded in the .identifier element in addition to the .telecom to enable discovery (.identifier), and preference of use (.telecom)? Regarding e-mail addresses as user names, we will add guidance that e-mail addresses may be communicated in the (to be created by Security) user-identity Identifier profile.  This is appropriate if the e-mail is being used as a username.  The telecom element is to be used only for communication. This supports schemes where a user might have cooper@example.com as their user identifier, but cooper+myhospital@example.com as the communication channel. Some systems may use e-mail as a unique user identifier.  Other systems may use e-mail as one piece of potentially uniquely identifying information.  And other systems may use it for communication (where communication may be to validate identity, or for other purposes). If an e-mail is used as both a user identifier and as a method of communication, then you'd put the same e-mail in both spots (identifier and telecom). Also, consider that not all individuals that need to be identified may have e-mails, for example, kids in a pediatric setting.   c) Should Person be used as primary map to User given that the concept of a user can be any of the Practitioner, Patient, or RelatedPerson roles? (not user as a device?) We don't want to recommend that Person be the primary map.  But we do think we could describe that as one acceptable model systems could consider.     d) If Person is used, should the same user identifier be replicated in all the places for which it is appropriate. That is the user-identity would be found in (up to) Patient, Practitioner, and RelatedPerson as needed? Thus enabling maximum discovery of FHIR Resources for which that user-identifier might be used? We will create a recommendation section on the security page for how we'd suggest handling user identifiers.  Each of the relevant resources (Patient, RelatedPerson, etc.) would have a short sentence directing the reader to that shared security page. TODO