> In addition to the above, the PDMP transactions between the PDMP Requestor and the PDMP Responder need to be secured using the SMART Backend Services Authorization Guide as shown in Figure 6 below.

This should be pointing to the released version of the smart back-end Services authorization guide published on hl7.org. It's worth considering whether implementers should be constrained to only using this guy, or whether this should be simply a recommended option. Is there real world application experience pushing this into production? If not, it would be good to leave options open and tighten over time.