Loading...

XML

Word

Printable

JSON

Details

Type: Change Request
Resolution: Persuasive
Priority: Medium

Specification:

Interoperable Digital Identity and Patient Matching (FHIR)
Raised in Version:

current
Work Group:

Patient Administration
Related Page(s):

Digital Identity
Home
Grouping:
- block-vote
Resolution Description:
Hide

Update NOTE 4.1 one to state:{}

"However, patient-initiated workflows (for example, “patient request” purpose of use) SHALL always include explicit end-user authorization."

Examples:

Patient authorizes access as in SMART App Launch with clicking a button to authorize the transaction as a mechanism for capturing and carrying consent in authorization code flow

Tiered OAuth Use Case - same as nominal SMART App Launch, except user profile data includes sufficiently high IAL1.8 identity assurance and AAL2 authorization assurance

B2B Patient User Use Case - include consent, IAL1.8 identity assurance, and AAL2 authentication assurance

Update first bullet in 4.2 to state:

"Recognize that the patient already has an account (when a record represents an account)" ... "and allow them authenticate when the credentials are sufficiently strong (IAL1.8/AAL2) and the patient can be matched based on best-practice matching"

Update language in 1.3 regarding App-Mediated B2B with Patient User to state:

"... verify the identity of the patient or their authorized rep at IAL1.8 and authenticate them at AAL2 prior to capturing the consent or allowing their access to data."

instead of:

"... though the requirements on how data are restricted are beyond this guide’s scope."
Show
Update NOTE 4.1 one to state: { } " However, patient-initiated workflows (for example, “patient request” purpose of use) SHALL always include explicit end-user authorization." Examples: Patient authorizes access as in SMART App Launch with clicking a button to authorize the transaction as a mechanism for capturing and carrying consent in authorization code flow Tiered OAuth Use Case - same as nominal SMART App Launch, except user profile data includes sufficiently high IAL1.8 identity assurance and AAL2 authorization assurance B2B Patient User Use Case - include consent, IAL1.8 identity assurance, and AAL2 authentication assurance Update first bullet in 4.2 to state: "Recognize that the patient already has an account (when a record represents an account)" ... "and allow them authenticate when the credentials are sufficiently strong (IAL1.8/AAL2) and the patient can be matched based on best-practice matching" Update language in 1.3 regarding App-Mediated B2B with Patient User to state : "... verify the identity of the patient or their authorized rep at IAL1.8 and authenticate them at AAL2 prior to capturing the consent or allowing their access to data." instead of: "... though the requirements on how data are restricted are beyond this guide’s scope."
Change Category:
Clarification
Change Impact:
Non-substantive
Applied for Version:

current

Description

The NOTE in 4.1 states that explicit patient authorization is required for patient access to data, however AEO does not have a way to include that in-line as of this time, so the B2B workflow where an organization's digital certificate is used to authenticate the organization, which then signs a JWT including patient demographics for the patient they wish to request health data about, is at odds with these stipulations in the IG. There are at least 2 more places where the requirement to authenticate the patient directly is reinforced at the beginning of 4.2.

Related topics include 1) more specific guidance on ID token data and 2) passing that same data in non-OIDC transactions

Attachments

Issue Links

mentioned in: Page Loading...

Activity

People

Assignee:: Unassigned

Reporter:: Aaron Nusstein

Watchers:: 3 Start watching this issue

Dates

Created:: 2024-04-04 02:07

Updated:: 2024-04-08 03:44

Resolved:: 2024-04-04 06:54