Purpose of use for a Direct Query, where the Payer directly queries the EHR for specific data using the standard FHIR RESTful search, must be limited to HIPAA Operations/Payment purposes of use. This signals to the provider system that only the minimum necessary information may be disclosed. Unlike the Treatment purpose of use, which does not require minimum necessary restrictions on the disclosure, for these queries, it must be made clear that the purpose of use is limited to Operations//Payment.

Existing Wording:

Purpose of Use: In some cases it may be important to transmit the Purpose of Use in the Authorization Framework (OAuth) when querying for data. The details of incorporating the reason for a query into OAuth is an area of active discussion. Once a suitable approach has been agreed upon and published, it will be referenced in a future version of this guide.

Proposed Wording:

The details of how to convey the level of confidentiality protection required to be afforded information being queried using OAuth is an area of active discussion.
Once a suitable approach has been agreed upon and published, it will be referenced in a future version of this guide.
Until that time, a CDex query requester should consult with legal counsel on how to convey the requester's intent to access confidential information by whatever means available, e.g., following the OASIS XSPA SAML IG, out-of-band communications, a trust agreement, or by pre-adopting the yet to be balloted SMART Fine Grain Access approach for conveying confidentiality in conformance with the HL7 Privacy and Security Healthcare Classification System.

(Comment 65 - imported by: Jean Duteau)