Scope limit to the minimum necessary #84
Conversation
The grants, scope, and period of time requested by the client should be guided by the minimum necessary rule, per HIPAA and basic security principle.
Added required and optional parameters included in the authorization request. Content that was here was inconsistent with the Argonaut SMART on FHIR profile. Via a separate pull request, I have also requested that the content regarding use of the OS's native browser also should be removed from this section.
|
I would mark these as points of discuss with @whitehatguy - e.g. leaving In any case, this is an example of a breaking change from our current spec that needs to be highlighted and raised as a question. |
|
A strict interpretation of HIPAA, RFC 6749 would demand fine-grained access control (at the data element, rather than resource level). How we reconcile SMART on FHIR with HIPAA mandates has been a source of friction at several healthcare organizations I have worked with. We need to consider the practicality of demanding that any application owner, provide evidence of necessity for specific elements within a resource. Application owners can generally find a way to justify their needs for all elements in a resource (e.g. Patient). Still this is a very interesting question, especially as it relates to broad resource types (e.g. Observation). Is this still an open question, are are we still working under the understanding that IaM is outside the purview of SMART? |
|
This is out of scope for what we could reasonably define at the SMART specification level. One clear demonstration of this fact: the "minimum necessarily" condition applies to HIPAA authorized access, but isn't relevant for Patient API access. In other words, the decision about what is necessary in the context of a provider facing app needs to be up to the provide (or provider organization), but for patient access apps it's entirely up to the patient. |
|
Your comment re "patient access apps it's entirely up to the patient” is
very helpful. Thank you !!
…On Wed, Dec 7, 2016 at 5:07 PM, Josh Mandel ***@***.***> wrote:
This is out of scope for what we could reasonably define at the SMART
specification level. One clear demonstration of this fact: the "minimum
necessarily" condition applies to HIPAA authorized access, but isn't
relevant for Patient API access. In other words, the decision about what is
necessary in the context of a provider facing app needs to be up to the
provide (or provider organization), but for patient access apps it's
entirely up to the patient.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#84 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AEYnryQe15IE_v9iGsA2QPmKFt8sPbAsks5rF1g4gaJpZM4Fs_fp>
.
--
Kind Regards,
Jonathan
Jonathan Ben-Hamou
ICOE Group Inc
Mobile: +1 (206) 491 3683
eFax: +1 (206) 260 4005
|
The grants, scope, and period of time requested by the client should be guided by the minimum necessary rule, per HIPAA, RFC 6749, and foundation security principle.