Uploaded image for project: 'FHIR Specification Feedback'
  1. FHIR Specification Feedback
  2. FHIR-37167

Qualifying a direct query

    XMLWordPrintableJSON

Details

    • Icon: Change Request Change Request
    • Resolution: Not Persuasive
    • Icon: Highest Highest
    • US Da Vinci CDex (FHIR)
    • 1.1.0-ballot [deprecated]
    • Patient Care
    • STU
    • Direct Query
    • Hide

      We agree with commenter in FHIR-37166 to remove "Preferred" from direct query.  However the concerns expressed in this tracker are addressed in the Security and Privacy page and specifically by the SMART App Launch Implementation Guide which

      describes a set of foundational patterns based on OAuth 2.0 for client applications to authorize, authenticate, and integrate with FHIR-based data systems. The patterns defined in this specification are introduced in the sections below.

       

      which includes 

      Scopes for Limiting Access

      SMART uses a language of “scopes” to define specific access permissions that can be delegated to a client application. These scopes draw on FHIR API definitions for interactions, resource types, and search parameters to describe a permissions model. For example, an app might be granted scopes like user/Encounter.rs, allowing it to read and search for Encounters that are accessible to the user who has authorized the app. Similarly, a backend service might be granted scopes like system/Encounter.rs, allowing it to read and search for Encounters within the overall set of data it is configured to access. User-facing apps can also receive “launch context” to indicate details about the current patient or other aspects of a user’s EHR session or a user’s selections when launching the app.

      Show
      We agree with commenter in FHIR-37166 to remove "Preferred" from direct query.  However the concerns expressed in this tracker are addressed in the Security and Privacy page and specifically by the SMART App Launch Implementation Guide which describes a set of foundational patterns based on OAuth 2.0 for client applications to authorize, authenticate, and integrate with FHIR-based data systems. The patterns defined in this specification are introduced in the sections below.   which includes  Scopes for Limiting Access SMART uses a language of “scopes” to define specific access permissions that can be delegated to a client application. These scopes draw on FHIR API definitions for interactions, resource types, and search parameters to describe a permissions model. For example, an app might be granted scopes like  user/Encounter.rs , allowing it to read and search for Encounters that are accessible to the user who has authorized the app. Similarly, a backend service might be granted scopes like  system/Encounter.rs , allowing it to read and search for Encounters within the overall set of data it is configured to access. User-facing apps can also receive “launch context” to indicate details about the current patient or other aspects of a user’s EHR session or a user’s selections when launching the app.
    • Eric Haas/Bob Dieterle: 8-0-3

    Description

      The IG mentions "For Direct Query, the Payer directly queries the EHR for specific data using the standard FHIR RESTful search. This is the preferred option."

       

      There are patient privacy concerns with direct queries. Is the direct query functionality giving payers unfettered access to patient clinical data? Providers are the stewards of clinical information, so sharing of any patient information without provider intervention to determine to necessary information is potentially problematic. 

      Attachments

        Activity

          People

            Unassigned Unassigned
            apreisler Andrea Preisler
            Andrea Preisler
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: