diff --git a/API_README.md b/API_README.md index dea28e956eb..fc6b0e042fd 100644 --- a/API_README.md +++ b/API_README.md @@ -433,7 +433,7 @@ curl -X GET 'https://localhost:9300/apis/default/portal/patient' \ ## Security - OpenEMR adminstrators / installers should ensure that the API is protected using an end to end encryption protocol such as TLS - Password Grant SHOULD be turned off for any kind of production use as it has a number of security problems -- Setting the Admin -> Config -> OAuth2 App Manual Approval Settings to be 'Manual Approval' prevents any OAuth2 application from accessing the API without manual approval from an administrator. This is the most secure setting. However, in the USA jurisdiction that must comply with CEHRT rules for ONC 2015 Cures Update, patient standalone apps must be approved within 48 hours of a patient requesting access in order to avoid pentalities under the Information Blocking Provisions from ONC. EHR administrators are not allowed to vet a patient's choice of an app as long as the app complies with OpenEMR's OAuth2 security requirements. If an app requests user/* or system/* scopes, administrators can vet an application and request additional information / security on an app by app basis. Leaving the setting at the default will auto-approve any patient standalone app. +- Setting the Admin -> Config -> OAuth2 App Manual Approval Settings to be 'Manual Approval' prevents any OAuth2 application from accessing the API without manual approval from an administrator. This is the most secure setting. However, in the USA jurisdiction that must comply with CEHRT rules for ONC Cures Update, patient standalone apps must be approved within 48 hours of a patient requesting access in order to avoid pentalities under the Information Blocking Provisions from ONC. EHR administrators are not allowed to vet a patient's choice of an app as long as the app complies with OpenEMR's OAuth2 security requirements. If an app requests user/* or system/* scopes, administrators can vet an application and request additional information / security on an app by app basis. Leaving the setting at the default will auto-approve any patient standalone app. - Public apps (ones that can't securely store a secret) MUST implement the PKCE standard specified in [RFC 7636](https://www.rfc-editor.org/rfc/rfc7636). Confidential apps are still highly encouraged to implement PKCE to mitigate forms of MITM attacks such as multiple native app devices registering for the same custom url scheme used as the OAUTH2 redirect_uri in the authorization_code grant. ## For Developers diff --git a/README.md b/README.md index 6bd3439cb7f..7e9feef8d5c 100644 --- a/README.md +++ b/README.md @@ -59,7 +59,7 @@ This project exists thanks to all the people who have contributed. [[Contribute] ### Sponsors -Thanks to our [2015 Edition Major Sponsors](https://www.open-emr.org/wiki/index.php/OpenEMR_Certification_Stage_III_Meaningful_Use#Major_sponsors)! +Thanks to our [ONC Certification Major Sponsors](https://www.open-emr.org/wiki/index.php/OpenEMR_Certification_Stage_III_Meaningful_Use#Major_sponsors)! ### License diff --git a/interface/modules/custom_modules/oe-module-ehi-exporter/Readme.md b/interface/modules/custom_modules/oe-module-ehi-exporter/Readme.md index 43933363846..e3161bcf362 100644 --- a/interface/modules/custom_modules/oe-module-ehi-exporter/Readme.md +++ b/interface/modules/custom_modules/oe-module-ehi-exporter/Readme.md @@ -64,5 +64,5 @@ Users wanting to keep their psychotherapy notes confidential that are stored ins OpenEMR does not have a way of marking records as education records and so education records should not be stored in OpenEMR if using this system as a certified product. -The ONC 2015 Certification public URL documentation for this export can be found at +The ONC Certification public URL documentation for this export can be found at https://raw.githubusercontent.com/openemr/openemr/7.0.2/Documentation/EHI_Exports/docs/ diff --git a/interface/modules/custom_modules/oe-module-ehi-exporter/templates/oe-module-ehi-exporter/README.text.twig b/interface/modules/custom_modules/oe-module-ehi-exporter/templates/oe-module-ehi-exporter/README.text.twig index f36909aad3f..b53a6530e0a 100644 --- a/interface/modules/custom_modules/oe-module-ehi-exporter/templates/oe-module-ehi-exporter/README.text.twig +++ b/interface/modules/custom_modules/oe-module-ehi-exporter/templates/oe-module-ehi-exporter/README.text.twig @@ -15,5 +15,5 @@ {{ "The local installation documentation for the format of the EHI Export data can be found at"|xlt }}: {{ webBaseUrl|text }}/Documentation/EHI_Export/docs/ -{{ "The ONC 2015 Certification public URL documentation for this export can be found at"|xlt }} +{{ "The ONC Certification public URL documentation for this export can be found at"|xlt }} https://raw.githubusercontent.com/openemr/openemr/{{ certifiedReleaseVersion|text }}/Documentation/EHI_Exports/docs/ diff --git a/interface/patient_file/deleter.php b/interface/patient_file/deleter.php index 08a1c2084b1..cd3e9460f1e 100644 --- a/interface/patient_file/deleter.php +++ b/interface/patient_file/deleter.php @@ -176,7 +176,7 @@ function form_delete($formdir, $formid, $patient_id, $encounter_id) // Delete a specified document including its associated relations. // Note the specific file is not deleted (instead flagged as deleted), since required to keep file for -// ONC 2015 certification purposes. +// ONC certification purposes. // function delete_document($document) { diff --git a/interface/reports/rwt_2023_report.php b/interface/reports/rwt_2023_report.php index 6e95a5f3cc5..da30074d24e 100644 --- a/interface/reports/rwt_2023_report.php +++ b/interface/reports/rwt_2023_report.php @@ -59,7 +59,7 @@
' /> diff --git a/interface/reports/rwt_2024_report.php b/interface/reports/rwt_2024_report.php index b6832b9afe1..3dab16d4e78 100644 --- a/interface/reports/rwt_2024_report.php +++ b/interface/reports/rwt_2024_report.php @@ -59,7 +59,7 @@ ' />