Uploaded image for project: 'FHIR Specification Feedback'
  1. FHIR Specification Feedback
  2. FHIR-36437

Revamp payer authorization language

    XMLWordPrintableJSON

Details

    • Icon: Change Request Change Request
    • Resolution: Persuasive with Modification
    • Icon: Medium Medium
    • US Da Vinci DTR (FHIR)
    • 1.0.0 [deprecated]
    • Clinical Decision Support
    • Retrieval of Payer Resources [deprecated]
    • Hide

      Will replace the current content with a reference to the SMART "backend services" protocol and list the scopes needed - which are system/questionnaire.rs, system/valueset.rs and system/library.rs.  Those will be sufficient to invoke the DTR Questionnaire operation, $next-question, ValueSet/$expand and retrieval of libraries and value sets.  (The spec should explain that intention for that set of scopes.)  

      Make it explicit that this authentication mechanism holds regardless of how DTR is launched (via CRD or standalone). 

      Show
      Will replace the current content with a reference to the SMART "backend services" protocol and list the scopes needed - which are system/questionnaire.rs, system/valueset.rs and system/library.rs.  Those will be sufficient to invoke the DTR Questionnaire operation, $next-question, ValueSet/$expand and retrieval of libraries and value sets.  (The spec should explain that intention for that set of scopes.)   Make it explicit that this authentication mechanism holds regardless of how DTR is launched (via CRD or standalone). 
    • Bob Dieterle / Jeff Brown : 12-0-2
    • Correction
    • Compatible, substantive

    Description

      "Payers SHALL require the DTR process to authenticate in order to retrieve resources when PHI is exchanged, and MAY required authentication in other situations. In the case that authentication is required, the following JSON structure SHALL be populated by the payer system. This JSON is based on the structure for FHIR Authorization in CDS Hooks."

      A DTR app can't know if questions in a Questionnaire will include PHI.  Therefore, the presumption must be that all interactions will involve PHI.  Furthermore, writing to and accessing existing DocumentReferences could also expose PHI.  Therefore, all communication between a 'full' EHR or a SMART app and a payer must be over an authenticated connection.

      Second, we shouldn't be inventing our own authorization mechanism here.  Instead, we should be using the SMART "backend services" protocol.  All we should be doing are pointing to that spec and listing the scopes needed - which are system/questionnaire.rs, system/valueset.rs and system/library.rs.  Those will be sufficient to invoke the DTR Questionnaire operation, $next-question, ValueSet/$expand and retrieval of libraries and value sets.  (The spec should explain that intention for that set of scopes.)  If the EHR can't handle in-progress results, then it also needs system/documentreference.cruds.

      Attachments

        Activity

          People

            rgeimer Rick Geimer
            lloyd Lloyd McKenzie
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: