Details
-
Change Request
-
Resolution: Unresolved
-
Medium
-
Interoperable Digital Identity and Patient Matching (FHIR)
-
current
-
Patient Administration
-
Patient Matching
-
4.2
Description
Please clarify this requirement: "Security best practices, including transaction authorization, are generally out of scope for this IG; however implementers also SHALL NOT allow patients to request a match directly":
- Is this intended to be an exception to the scope that does impact authorization?
- Who does this requirement apply to? The requester, responder, or both?
- How is this intended to be enforced?
- By the requester, by not allowing a patient match ($match or simple Patient search) to be requested if the user is a patient?
- By the responder, by not authorizing a patient match ($match or simple Patient search) when purpose of use is Patient request and/or the requester has not authenticated to a healthcare professional?