Uploaded image for project: 'FHIR Specification Feedback'
  1. FHIR Specification Feedback
  2. FHIR-30262

Improper use of paitent/.read scope

    XMLWordPrintableJSON

Details

    • Icon: Change Request Change Request
    • Resolution: Persuasive
    • Icon: Medium Medium
    • US Making EHR Data More available for Research and Public Health (MedMorph) (FHIR)
    • 0.1.0
    • Public Health
    • Research Data Extraction
    • 10.1
    • Hide

      The patient scopes will be removed per the comment.

      Show
      The patient scopes will be removed per the comment.
    • Kishore Bashyam / Craig Newman : 28 - 0 - 1
    • Correction
    • Compatible, substantive

    Description

      The specification defines the following: 

      The EHR system SHALL support ```system/.read and patient/.read`` scopes to access data for multiple patients.

       

      As this is using the SMART Bulk data standard the patient/.read scope is out of context.  As specified in the the BULK data specification:   http://hl7.org/fhir/uv/bulkdata/authorization/index.html#scopes 

      As the client authorization addressed by this specification involves no user or launch context, the existing SMART on FHIR scopes are not appropriate. Instead, clients SHALL use “system” scopes that parallel SMART “user” scopes. System scopes have the format system/(:resourceType|).(read|write|)– which conveys the same access scope as the matching user format user/(:resourceType|).(read|write|). However, system scopes are associated with permissions assigned to an authorized software client rather than to a human end-user.

       

      the patient.read scope should be removed

      Attachments

        Activity

          People

            nageshbashyam Nagesh Bashyam
            rdingwell Rob Dingwell
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: