PCF_19: Should Basic include agent authored by the Consent

IHE / ITI.PCF

The Privacy Consent on FHIR (PCF) Profile provides support for patient privacy consents and access control where a FHIR API is used to access Document Sharing Health Information Exchanges. This profile includes both Consent profiling and access controls profiling of oAuth access token.

Creative Commons Attribution 4.0 International

2 stars 2 forks source link

PCF_19: Should Basic include agent authored by the Consent #19

Open JohnMoehrke opened 1 year ago

JohnMoehrke commented 1 year ago

The Basic Explicit Option includes the ability for the Consent to identify a list of agents (device, relatedPerson, Practitioner, or Organization) that would be authorized by the Consent. This was supported by BPPC, so was considered Basic. However this has been identified as an unusual need today and thus would be more appropriate to be in the Intermediate group. Please comment on if you find this needed and agree that it should be in Basic, or if this support should be in Intermediate.

slagesse-epic commented 1 year ago

I would vote for this to be in the intermediate group.

Organization is often used in cross community trust domains, but in single organization affinity domains might not be needed.

The others are challenging since it is difficult to enumerate the set of persons, practitioners, or devices that might need access to the patient's information to accomplish any given task. For example, an HIM administrator might need to access the patient's record to make a correction, but patients are unlikely to recognize this need. Devices are even more nebulous and challenging to define.

JohnMoehrke commented 1 year ago

I am inclined to mostly include this in Intermediate except when the agent being authorized is an Organization. Seems Organization is basic?