Uploaded image for project: 'FHIR Specification Feedback'
  1. FHIR Specification Feedback
  2. FHIR-43761

Granular scopes extend beyond regulatory requirement

    XMLWordPrintableJSON

Details

    • Icon: Change Request Change Request
    • Resolution: Persuasive with Modification
    • Icon: Medium Medium
    • US Core (FHIR)
    • 7.0.0-ballot
    • Cross-Group Projects
    • STU
    • SMART on FHIR Obligations and Capabilities
    • Hide

      Background

      The 2024 Argonaut Project: US Core Granular Scopes Mini:

      https://confluence.hl7.org/display/AP/US+Core+Granular+Scopes+Mini

      held a series of calls with implementers to address the issues surrounding the US Core Scopes guidance.

      Decisions: 

       

      1. Based on the call series, add the following guidance to US Core  as pre-applied HERE

      • Require (SHALL ) only the scopes defined in HTI-1, :

       

      must minimally be capable of handling finer-grained scopes using the “category” parameter for (1) the Condition resource with Condition sub-resources Encounter Diagnosis, Problem List, and Health Concern and (2) the Observation resource with Observation sub-resources Clinical Test, Laboratory, Social History, SDOH, Survey, and Vital Signs

      •  ** no category "clinical test" the observation "sub-resource" Clinical Tets (aka ​US Core Observation Clinical Result Profile) has 7 categories as must support?  add narrative guidance that MAY use one of the categories in Clin result Observation. - as narrative guidance. ( check with ONC - prior to publication.)

       

       

      • Recommend as best practice (SHOULD) for DocumentReference "clinical-note"
      • Guidance that servers MAY add other resource-level and granular-level scopes

      2. limit Scopes to read and search only

      3. Documented  in the US Core Scopes page (see attachments){}

      1. Document/Clarify that the Goal of granular scopes is to limit authorization (vs access) to specific data domains. 
      2.  Requirements (SHALL) based on current or pending regulations such as HTI-2  and/or community-based consensus that a nominated scope is required to meet a system requirement or clinical need. 
      1. Recommended (SHOULD) granular scopes based on a community-based consensus that a nominated scope meets a system requirement or clinical need as a best practice. 

      4. add section on token introspection, capabilities(sets), and .well-known endpoint.

      Show
      Background The 2024 Argonaut Project: US Core Granular Scopes Mini: https://confluence.hl7.org/display/AP/US+Core+Granular+Scopes+Mini held a series of calls with implementers to address the issues surrounding the US Core Scopes guidance. Decisions:    1. Based on the call series, add the following guidance to US Core   as pre-applied HERE Require ( SHALL ) only the scopes defined in HTI-1, :   must minimally be capable of handling finer-grained scopes using the “category” parameter for (1)  the Condition resource with Condition sub-resources   Encounter Diagnosis, Problem List, and Health Concern  and (2)  the Observation resource with Observation sub-resources Clinical Test , Laboratory, Social History, SDOH, Survey, and Vital Signs .   ** no category "clinical test" the observation "sub-resource" Clinical Tets (aka ​ US Core Observation Clinical Result Profil e) has 7 categories as must support?  add narrative guidance that MAY use one of the categories in Clin result Observation. - as narrative guidance. ( check with ONC - prior to publication.)     Recommend as best practice ( SHOULD ) for DocumentReference "clinical-note" Guidance that servers MAY add other resource-level and granular-level scopes 2.   limit Scopes to read and search only HTI-1 limits scopes to search only US Cores API currently does not address write: (see :  Future of US Core Page:  https://hl7.org/fhir/us/core/2024Jan/future-of-US-core.html#record-or-update-data ) Defer any consideration for other operations until regulations require write scopes or US Core Update API to support write 3. D ocumented   in the   US Core Scopes page (see attachments) { } Document/Clarify that the Goal of granular scopes is to limit authorization (vs access) to specific data domains.    Requirements (SHALL) based on current or pending regulations such as HTI-2   and/or  community-based consensus that a nominated scope is required to meet a   system requirement or clinical need.   Recommended (SHOULD) granular scopes based on a  community-based consensus that a nominated scope meets a   system requirement or clinical need as a best practice.   4. add section on token introspection, capabilities(sets), and .well-known endpoint.
    • Eric Haas/Brett Marquard: 17-0-0
    • Enhancement
    • Compatible, substantive
    • Yes

    Description

      The granular scopes specified in 7.0.0 ballot extend beyond regulatory requirement and without defined strategy or approach that would lead to their inclusion. 

      Only condition and observation are required and would suggest removal of granular scopes from other resources until such time that a strategy and guidance can be formed for future inclusion. 

      Referenced page: https://build.fhir.org/ig/HL7/US-Core/scopes.html

      Attachments

        Activity

          People

            Unassigned Unassigned
            andrew_fagan1 Andrew Fagan
            Andrew Fagan, Hans Buitendijk
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: