The proposed resolution is to replace the language in the Privacy Considerations section on the IG Home page from:
"Privacy Considerations
Access to the formulary service should not require authentication, and the server should not maintain any records that could associate the consumer with the medication list that was queried.
A conformant payer formulary service SHALL NOT require a formulary mobile application to send consumer identifying information in order to query for the list of health plans provided by that payer and the medication costs for each plan, specific to the consumer's set of medications.
A formulary mobile application SHALL NOT send consumer identifiable information when querying a formulary service."
to
"Privacy Considerations
The formulary service can potentially be accessed two different ways:
1) Authenticated API: Access to the formulary service when integrated with protected health information (PHI) or personally identifiable information (PII) as part of the Patient Access API SHALL be protected through an authorized, authenticated transaction as described in the Da Vinci Health Record Exchange (HRex) FHIR Implementation Guide for the September 2020 Ballot (reference to Da Vinci HRex page).
2) Unauthenticated API: When exchanging formulary data exclusively, which is public information without any PHI or PII, the formulary service MAY also be accessed through an API that does not require authentication or authorization. The formulary server SHALL NOT maintain any records through the unauthenticated API that could associate the consumer with the medication list that was queried.
When accessing data through an unauthenticated API, the conformant payer formulary service SHALL NOT require a formulary mobile application to send consumer identifying information in order to query for the list of health plans provided by that payer and the medication costs for each plan, specific to the consumer's set of medications.
An unauthenticated API to the formulary service is needed to implement the 'Shopping for Health Plans' use case detailed in this implementation guide."