Please clarify this requirement: "For sharing immunization records only, patient matching MAY be performed using identity attributes verified at IAL1.2 or higher by both requesting party and responder."

• This "MAY but only" might be more clearly worded as "SHALL NOT unless", if that is the intent. MAY in general reads like an optional behavior, while "MAY but only" is much more restrictive.
• Is this intended to allow a lower level of IAL than that specified earlier in this section?
• I'm not following how is this intended to be enforced:
  • By the requester, by choosing not to request matches with lower than IAL 1.5 demographics unless they know they are only going to retrieve Immunization resources? This would then imply that responders can't base $match results on asserted IAL levels, because they wouldn't know what the requester intends to do with the matched patient.
  • By the responder, by not authorizing a B2B requester asserting IAL 1.2, unless scope is limited to Patient and Immunization resources?